Thomas Delrue on 7 Apr 2018 14:22:05 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fwd: [FD] Massive Breach in Panera Bread


On 04/07/2018 01:41 PM, Rich Kulawiec wrote:
> This is typical, and this is why the "responsible disclosure" mythos
> is utterly worthless.

... with certain entities.

I usually agree with you but I think you're taking too broad of a stroke
here. Some people /do/ want to do the right thing and then following
some sort of responsible disclosure process (however you wish to define
that) is the right thing to do. Let's not toss out the baby with the
bathwater.
On top of that, I think that everyone deserves a second and sometimes
(depending on who they are) even a third chance. Not extending them that
courtesy would not be ... 'responsible' of us either.

Some people/entities (like in this case of Panera) are just hard-headed
& have demonstrated that the responsible thing to do is to just disclose
and force said entity to have to deal with the problems of their own
making because keeping the issue under wraps would be irresponsible.
The 'responsible' in 'responsible disclosure' cuts both ways: the
individual reporting the incident but also the entity receiving the
report. There are requirements on both sides. I think that many
companies don't quite realize the second edge of the knife.

As I said before: the 'responsible' thing to do in this case, was to
disclose far and wide and screw over Panera.
I have no love for Panera in this situation; burn it, burn it to the
ground, and by all means, make it as bloody and as painful for them as
it possibly can be. Because it's the only way that they will learn!

At this point, I'd recommend that everyone looks into popcorn futures,
because we'll continue to see these things until CIO's (and other CxO's,
VPs and the likes) are actually held accountable for these things; and I
don't mean the token-accountability, I mean real accountability that
serves as an effective deterrent - I can dream, can't I...
Until then, like someone else mentioned, this will continue to be
treated as a problem for the PR department.

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug