Still seems far, far more likely that the average user will have their account stolen via password theft/reuse than the more complicated scheme the author is describing. Links instead of codes also fixes the issue.
This will never, ever, ever stop happening until executives start going bankrupt and/or to jail for negligence. Even then it won’t stop, but it would at least decrease in frequency and severity.
Unless there is willfull negligence (very difficult to prove) or malicious behavior I don't think putting people in jail will help. Most of this stuff happens by accident not by intent.
Financial consequences to the company might be a deterrent, of course then you're dealing with hundreds or thousands of people potentially unemployed because the company was bankrupted by something as simple as a mistake in a firewall somewhere or an employee falling victim to a social engineering trick.
I think the path is along the lines of admitting that cloud, SaaS and other internet-connected information systems cannot be made safe, and dramatically limiting their use.
Or, admitting that a lot of this information should be of no consequence if it is exposed. Imagine a world where knowing my name, SSN, DOB, address, mother's maiden name, and whatever else didn't mean anything.
Imagine using this defence with regards to airline crashes. "The crashes happen by accident not by intent" would be a clearly ludicrous defence, as it ought to be here as well.
If we were serious about preventing these kinds of things from happening, we could.
If we're OK with regulating SaaS companies (and anyone who connects their information systems to the internet) the way we do the airline industry, that may be an argument.
Bottom line though a good many folks here would loudly resist that kind of oversight on their work and their busineses, and for somewhat valid reasons. Data breaches hardly ever cause hundreds of deaths in a violent fireball.
If the consequences of an airline crash were just some embarassment and some inconvenience for the passengers, they would happen a lot more.
Also people almost never go to jail for airline crashes, even when they cause hundreds of deaths. We investigate them, and maybe issue new regulations, not to punish mistakes, but to try to eliminate the possibilty of them happening again.
> Data breaches hardly ever cause hundreds of deaths in a violent fireball.
Insurance people will be happy to tell you the price of the average citizen's life. Estimate the total cost to the economy, divide by the average citizen's life-value and you have the statistical deaths caused by this type of incident. Draw a fireball next to it for dramatic effect.
But generally, I don't think _every_ SaaS needs to be tightly regulated. But everyone that handles customer data needs to be. It would also very quickly make them stop hovering up any data they can get their fingers on and instead would make them learn how to provide their services securely without even having access to the data, because having that data suddenly becomes a liability instead of an opportunity.
> We investigate them, and maybe issue new regulations, not to punish mistakes,
This is not quite accurate. In the US for example, the NTSB investigates the causes of an incident, and the FAA carries out any subsequent enforcement action. Whereas the NTSB may rule the cause as pilot error due to negligence for example, the FAA may revoke the pilot's license and/or prosecute them in a civil case to the tune of a hundred thousand dollars and/or refer them to the Department of Justice for criminal prosecution.
At some point, some US department figured that they can practically budget a human life to cost around 10 million dollars - I wonder if the total amount of lives lost in airline incidents would incur the same amount of money lost as all the fraud that takes place after data breaches like these.
> Most of this stuff happens by accident not by intent.
Consider the intent of not hiring enough security staff and supporting them appropriately. It looks a lot like an accident. You could even say it causes accidents.
Hiring more people does not prevent the chance of mistakes. It may even increase them. I know places that spend lavishly on security (and employee education w/r/t social engineering, etc.) and have still been breached.
Google and Apple spend lavishly on security and are probably the most heavily attacked companies in the world, often by nation-state adversaries. Yet as far as I can remember, neither has had a successful breach like this in well over a decade.
Remove limited liability. Have the stock holder bear full economic cost of the victims without any limit. They want to profit, they take full risk with all of their property.
This can't be done in the modern financial system, I'd recommend holding senior execs and the members of the board responsible instead.
Shareholders may well be based overseas so it'd be very difficult to actually enforce the fines. They might also use overseas limited liability investment corporations, so fines would just bankrupt those companies leaving the actual shareholders never falling below zero.
There's also the political issues that'd come from potentially giving fines to millions of people because their pension funds invested in a company that had a data breach.
Haha, I still vividly remember how they were trying to make me believe that GDPR is going to a big hammer because it will finally make executives liable for breaches. I silently laughed back then. I am still laughing.
I should probably clarify: There are two types of people that climed that back then. Those trying to gaslight us, and those naiv enough to actually believe the gaslighting. Severe negligence has to be proofen, and that is not easy, and there is a lot of wiggle room in court. Executives being liable for what they did during their term is just not coming, sorry kids.
This is a really fun exercise; a rare example of something that's "data-centric" without being soulless.
I think it's fascinating how it illustrates weirdness about how Americans think about and categorize "ethnic" food. For example, the author's analysis of Google data shows Glendale, CA ranks #1 for "Highest prevalence of Mediterranean Restaurants." But I am nearly certain the majority of these, given Glendale's demographics, are in fact Armenian or Persian restaurants. Both Iran and Armenia are of course quite far from the Mediterranean region, but for whatever reason (rice? flat breads? grilled things on a stick?) have gotten lumped in with some Americanized, genericized conception of "the Mediterranean" that's indistinguishable from "the Middle East." I would imagine you'd find the same thing happening on Yelp etc.
> some Americanized, genericized conception of "the Mediterranean" that's indistinguishable from "the Middle East."
The same happens with the food itself. I had a chat with a restaurateur in Switzerland, and he explained all the modifications he had to make in order to sell "Chinese" food. "They didn't have bean sprouts when I first came, and they will look like they are dying if there's any amount of spice in it."
The famous example of this is Chicken Tikka Masala, which is a British take on Indian food. You can't open an "Indian" restaurant in the UK and not put it on the menu, just as you must have the step-ladder of spice with Indian sounding names (Korma, Madras, Vindaloo). IIRC similar to General Tso's Chicken when it comes to ordering Chinese in the US, gotta be on the menu.
People simply come to expect certain things with certain foods, often disconnected with the the place that inspired it. When you open an ethnic restaurant, it's almost like joining a franchise. You aren't formally paying MacDonald's when you open a Chinese takeaway, but you do have to have things on the menu that people recognize, so the labels "Thai", "Ramen", "Japanese", etc function a bit like a franchise.
> The famous example of this is Chicken Tikka Masala, which is a British take on Indian food.
as an indian i have to push back against this myth a bit - chicken tikka masala might have been invented in the UK, but it's a variant on similar indian dishes (butter chicken in particular) that not only would be right at home in many restaurants within india, but actually is! i don't even consider it fusion cuisine; it was invented by a south asian chef who happened to be living in the UK at the time, and the flavour profile is as "authentically" indian as any of the other standard punjabi-inspired north indian restaurant classics.
I'd say that the step-ladder of spiced Indian dishes are more associated with takeaways and cheaper restaurants. High quality Indian restaurants in the UK will tend to feature a specific region and only have a handful of dishes.
Same with higher end restaurants in the US for Chinese and Indian food.
Depending on where you are the cheaper restaurants in immigrant communities will be similar.
You get the regional food the chef's mother made. Occasionally, there are local substitutions (different mangos, peppers, meat cuts).
Higher end chinese or indian restaurants are pretty rare in the US. Both cuisines have been relegated to the fast, cheap delivery/takeout space and places doing higher-end (and higher priced) dishes find it difficult to get customers.
A bit like writing a fantasy novel. You aren’t paying any Tolkien Estate licensing fees, but people expect the established elves, trolls, dwarves, goblins, dragons, etc.
A more historical example of the same phenomenon may be commedia dell'arte.
BTW this happens all around the world. There are some staple dishes found at every Chinese restaurant in Korea, which are only tangentially related to Chinese food sold anywhere else.
Korean-Chinese cuisine is its own thing. Many of its staples like tangsuyuk and jjajangmian are based on Dongbei cuisine (Northeast China, next to Korea) and Shandong cuisine (across the Yellow Sea from Korea), which are both fairly uncommon outside China.
I recently spoke with someone who traveled to Thailand. She didn’t like the Pad Thai in Thailand and instead preferred the one in NYC with yellow color on the noodles.
Plus lots of salad and olive oil. I believe the use of "Mediterranean" is to avoid strange expectations about Middle Eastern food, which many people seem to erroneously expect to be more like Indian.
Agreed, I am wondering if you could extract food truck data from the various licensing databases. That question arises because in some places food trucks have replaced the statistically improbable 'hole-in-the-wall' restaurant for some of the same reasons those restaurants existed, relatively low cost of entry.
I won't link them, but they are quite easy to find... Most of the accounts offering them are custom DIY drones. The fiber optic attachment spools seem to be mass produced though.
Fun tip: If you have an iPhone, rapidly pressing the power button five times will force your phone to require a password before Face ID will work again. Turning your device off entirely will also necessitate password reentry.
Right, I'd recommend anyone worried about this to power off their laptop (assuming you've got full disk encryption turned on) and phone before going through security, customs, etc.
