Davin wrote:I'm not arguing those responsible for the security should not hold some blame for a breach, I'm arguing against the idea of blaming the victim for an attack (unless the victim went around saying, "come at me, bro!").
... but even if someone is lax with their security, it's not their fault if someone attacks them. It's the aggressor's fault.
I think I can see an elrment of logic there where the aggressor is always "at fault" in, say, child abuse by a priest, being coshed from behind in a street mugging etc, in places where one might have a right to expect safety. In the world of politics, or in commerce, the naïve person who does not take every possible opportunity to ensure security of sensitive information, who does not react appropriately to an advised threat, is incompetent. [...]
We are all hackable. No one is safe from hacking. All we can do is make it more difficult, but we can't prevent it. Those involved with this one made it easy. However, do you think the Russian hackers would have stopped if this one method didn't work? I don't think they would, I think the Russian hackers would have kept going until they succeeded. Do you think this was the first and only attack that the Russian hackers attempted? I highly doubt it.
Not really the place for this but...
Humans have been attracted to the idea of attacking the defences of others, for reasons from defeating them in war through pecunary gain and hatred to simple schardenfreude, since at least the begining of recorded history, but it seems that sone simply do not learn. So, if they are not to "blame" in your understanding of the term then, if they are in a position to safeguard important (to whoever) data they are inadequate for or incompetent in their job and need to be replaced. Retraining in the same field will probably not help them because they have the wrong mindset to start with.
Go back to manual typewriters and paper memos for the really important stuff? There was a story that the Russians did just that. But you might need lots of high security vaults for storage . . .
Are you seriously presenting the, "well people have urges, you can't blame them for acting on them" argument?
Because my answer is: fuck yes we can blame them for acting on their urges. Always. You set are setting a shitty precedent by saying otherwise.
If someone forgot to lock their door one day, and their house gets broken into, do you blame them for getting robbed because they are incompetent? Or, like me, do you blame the thieves?
I get the urge to urinate from time to time, that is an undeniable need. However I don't pee on other people and them blame them for it while saying, "humans have a long history of needing to pee..."
Again. Yes, they are in a position of being responsible for safe guarding data. But again, all systems, no matter how competent those responsible for security are, are vulnerable to being hacked. How do you think security vulnerabilities get there? The answer is: the vulnerabilities already there, someone finds it and exploits it. If they are a good person, they'll inform the developer of the thing they found a hole. Some people are hired by the company that develops the software to try to find exploits. If they are a bad person, they will try to exploit it themselves and/or sell it off to others. On your devices, there exists multiple vulnerabilities, people just haven't found them yet.
Also again, while I agree that in this case they made it easier and fell victim to classic social engineering techniques, I doubt that was the first attempt nor would it have been the last attempt if that one didn't work. I would replace them too. But it's the attacker's that get the blame for the attack.