Comments on: For F-Secure, it's all about the safety net

Kimmo Alkio takes stock of the current state of hackers, attackers, dot-bank domains and mobile phone viruses.

[nedlohs]

new dot-bank top-level domain

I work for a community bank as its CFO. I understand the idea that a "$50,000" fee would deter some, that is prohibative for a small bank. For Wells Fargo/Chase and the big banks, its a blip. For us, with less than 100 employees, it would be devistating. Also, we own several names due to a name change a few years back and for abbreviation. This would run up very fast and be a budget buster for us.

[n3td3v]

security researchers should be held more accountable for security incidents

the government need to stop information and tools reaching the cyber terrorists in the first place by making security researchers more accountable for critical disclosures to the public.

for every security incident that occurs because of a security researcher disclosing information to the public domain, that security researcher should be held accountable.

supplying the bad guys with the tools to carry out the cyber attack should have the same weight as carrying out the cyber attack its self.

we're not saying full disclosure is banned, but what the government should be saying is, if your vulnerability/exploit code/information/tool is used in a cyber attack by someone, then that someone should be jailed or heavily fined as well as the security researcher who originally made it possible for that someone to carry out the cyber attack/security incident in the first place.

it should be the security researcher who decides how critical his disclosure will be and how many security incidents that dislcosure may result in, and its that security researcher who should decide after that if his potential legal position will lead to him being heavily fined or end up in jail or if he decides his disclosure isn't critical then feel happy about making a full disclosure to the public-at-large.

[Schratboy]

Accountability begins at home

Dude, the technology vendors are digging into exploits just so they can bleat the findings and positions themselves better in the marketplace. Notwithstanding the publicity seekers, every organization should focus on their own knitting: defining what's allowable business processes and zeroing out everything else. However, with sloppy policies and non-existent enforcement, seemingly innocuous employee entertainment opens the door to exploits and data leaks...and everybody is blaming the vendors?!

The massive over-spending on IT security is pseudo-comfort for the IT manager (look at how much money I've spent) and for the practitioners of fear, uncertainty and doubt. You're better of buying more than you need because you'll never know when you can be hit. Indeed! The narrow-mindedness of today's end-to-end technology vendors is stupefying and brazen. No technology can assure 100% security. Rule-based technology can't tell you what it missed. Only by examining what happening can you reasonable assess if incidents are held in check or if the wheels are slowly falling off the wagon.

Stop shooting the messengers (technology vendors) and start doing the job you're paid to do...and do it without exceeding your budget year after year.

[ColdMast]

why can't the government stop hurricans?

If flaws were never pointed out patches would never exist. Cyber-Terrorist would only be able to repeat the same attacks over and over again.

You act as the digital "enemy" doesn't research their own for exploits.

quote: GOVERNMENT -- should stop information
don't they already

[RacerX7]

It's called "Personal Responsibility"

The government is NOT my parent or babysitter.
Nor are software vendors.

The security researchers just make vunerabilities public. It doesn't mean they are the first to know about it. By making the public aware of a PRE-EXISTING flaw allows people to take precautions to defend themselves. If a person chooses not to take adequate precautions, that is their problem. Not the government's. Not the researcher's.

You want a 100% safe guarantee? Then unplug your computer and walk away.

Time to stop playing "victim" and take personal responsibility.