<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/15/2014 03:33 PM, Salz, Rich
wrote:<br>
</div>
<blockquote
cite="mid:2A0EFB9C05D0164E98F19BB0AF3708C711E91F9ED0@USMBX1.msg.corp.akamai.com"
type="cite">
Agree. So why is a boycott a good thing? Why punish someone for
being tricked? (Not specifically directed to Ian). It seems to me
the better object lesson is one of the strongest cryptography
companies in the world (at the time) was tricked into possibly
making many of their customers vulnerable. How can we move forward
from this?</blockquote>
<br>
I want everyone to see blood (figuratively), and be afraid. For
their jobs, for their reputations.<br>
<br>
Every few minutes some other business has a data breach, and it
seems their big worry is always publicity ("Can we kill a
messenger?"). Let's up the stakes. I want to see a little operant
conditioning, apply some pain to mistakes, and see people trying to
avoid being part of blunders.<br>
<br>
Security doesn't sell, let's at least make security blunders cost.<br>
<br>
RSA needs to be seen as having paid dearly for their very bad
mistake. People in corporations need to be able to invoke "RSA" and
have others shudder. I don't care if others have also done bad
things, I want RSA made an example. How much worse could they have
behaved? Make an example of them. <br>
<br>
How much money did EMC pay for RSA? I want EMC (and others) to see
that a purchase can be destroyed if they misbehave and just cash the
big check. Did EMC managers encourage them to be profitable, praise
them for the nice haul? I think we can assume "yes". Did EMC put <i>any</i>
real effort into policing RSA's integrity? We don't know, but I
guess "not really"; clearly it was not enough. Make EMC pay for
that. <br>
<br>
Security doesn't sell. At least make security blunders cost.<br>
<br>
-kb<br>
<br>
</body>
</html>