Hacker News new | past | comments | ask | show | jobs | submit login

You can't :)

There is a huge Market for Lemons (https://en.wikipedia.org/wiki/The_Market_for_Lemons) style scenario in IT systems with relation to security.

Everyone will say "we take security seriously", but there's no way for ordinary consumers (or indeed most companies) to determine what the company meant by their statement, and to evaluate the relative security of the systems of two companies.

This could actually provides a market incentive for companies not to spend too much on security, as those that do will have lower profits than those that don't.. until they get breached, and even then companies with good security can be breached...




I don't think it's actually that bad; for example, Patreon said that they don't store CCs and that they correctly hashed passwords, and as a consumer myself, I did take that into account. Obviously less knowledgeable consumers don't know what "bcrypt" is, but that's true of any product - you can't judge what you don't know how to judge.


so with two patreon style sites both of which say "we take security seriously" , until they have a breach, how would you judge which one would take better care of your data?

The information (AFAIK) about their security mechanisms only got released as a result of the breach, so even assuming you knew what the terms were and how to judge good security from bad, you wouldn't have the information until the site got compromised.

This is a very common problem, some more examples here http://raesene.github.io/blog/2014/06/08/finding-security/


The information that they didn't store CC cards was available in FAQs previously: https://patreon.zendesk.com/hc/en-us/articles/203913779-Do-y...

The password hashing algorithm wasn't, but then again an informed consumer uses unique passwords for each site, so that's less relevant.


Many informed customers - perhaps most - use the same passwords on many sites because it's too hard to remember hundreds of passwords.


I don't think they're particularly informed if they aren't aware of password managers.


I'm aware, I just can't be bothered. Every time I create an account I ask myself "do I care if this gets compromised?". If the answer is no, then it gets a standard password.


As long as you understand that when that site gets compromised, all other sites where you use your standard password get compromised for you as well. Collectively, all those sites getting compromised for you may be enough of a reason to consider password managers.


They may be informed and "aware" that password managers are a pain to use compared to using the same password for every site.


You can't judge which is better after a single breach either.


I love that phrase, it so aptly describes lots of markets (e.g. data vis/big data systems). Thanks for the link!


Maybe the answer is some sort of audit and certifiaction




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: