is this legal advice you are offering, as someone practicing law in the uk? because you are all over this thread stating your opinion very confidently.
(conveniently, there is no risk to yourself if you happen to be wrong or misinformed.)
No, I'm not offering legal advice, and neither am I stating an opinion. I'm simply quoting Ofcom, the regulatory body responsible for overseeing this law.
A valid point, and maybe I should have phrased it differently. I've deleted the comment which used the word "misinformed", so as not to cause any confusion.
My point is simply that the Ofcom quote clearly states that user comments on an article are not subject to the Online Safety Act. I assume this is a fact, as it's from the horse's mouth.
Some people appear to be basing their opinions on the assumption that the OSA does apply to such comments (hence my use of the offending word).
>Please note: The outcome of this checker is indicative only and does not constitute legal advice. It is for you to assess your services and/or seek independent specialist advice to determine whether your service (or the relevant parts of it) are subject to the regulations and understand how to comply with the relevant duties under the Act.
I mean even the site itself says it really shouldn't be used for legal advice...
On top of that, none of this matters until said law is settled under a case. Most often it's the first judge and the set of appeals after that point that define how the law is actually implemented. Everything before that is bluster and potential risk.
>As someone who's older, and is just generally gobsmacked all the time by the sloppiness in cybersecurity, all of this is just not surprising.
as someone who used to work in cybersec (and is also older), most of the time (in my experiences) it isnt sloppiness.
1) people fight tooth and nail against anything that inconveniences them. security is almost always going to be an inconvenience tradeoff, so it is always fought against. from every person and every department. rolling out 2fa was worse than pulling teeth, despite it being a single button press ("approve") on the phone, once or twice a day (or less). c-suite is the worst, demanding exclusions and bypasses. its hard to say no to your bosses boss when they refuse to use a password manager, refuse to setup 2fa, or whatever the case is.
2) security offers no immediate or visible return on investment. so, it gets little to no positive attention by c-suite and even less budget. you end up with underpaid, under-qualified, over-worked people trying to figure out which thing they might be able secure out of the 10 things that need securing. half of them will be tied up trying to explain to someone why they cant use the company name as their password or begging someone to use the password manager.
even here, a forum of hackers, security is often put in scare quotes and almost always mentioned beside the word "theater". people brag about still running windows 7, because it was the last good windows. antiviruses arent needed. X security feature is just a lie so that company Z can control my device. people get big mad when a company rolls out mandatory 2fa. and so on.
edit: case in point, on this thread a comment was just posted with "I think you can argue that cybersecurity doesn't really matter, in the grand scheme of things."
On 1) -- yes, but that's just how it is: I love the thing I read recently like "If people would just." -- okay, you can stop there, because people will never
"just." But it really doesn't matter; you engineer the best you can around that. My favorite go to example here is elevators. We have successfully safety-engineered elevators so well that any idiot can shove their hand in front of a two ton door and the result will be so harmless that it's a common practice now. Surely we can do that for CLICKING ON LINKS.
>And yet, the public conversation around them has been quiet to the point of being strange.
i dont think its that strange. there are multiple wars raging on, with many people fearing the breakout of a global conflict. a giant pedophile ring has been exposed that no one in power seems interested in doing anything about. prices for everything are haywire. markets are an absolute rollercoaster, hinging completely on one mans late night tweets. and so on.
people just dont have the bandwidth to also learn about what an npm or github is, and why a hack of it is important. news stations are going to pick the news that results in the most people tuning in to watch. that is war, not whatever a mercor is.
the non-tech (and many of the tech) people in my life are also just plain tired of hearing about hacks. they have heard that their information has been stolen 10 times or whatever in the last 5 years. they have heard 100s of "this company was hacked" stories. "another hack? who cares?".
The issue is also one of agency: the public has absolutely no agency in this. There is nothing an ordinary member of the public can do to avoid having their data exposed, there is nothing they can do to cause corporations to have more robust security models nor to cause actual consequences for all the executives that chose profit over security at every possible decision point.
To the public this becomes like the risk of being hit by lightning or being in a car accident, just background noise we avoid thinking about as much as possible. It is just the cost of living in this economy.
> a giant pedophile ring has been exposed that no one in power seems interested in doing anything about
But that's not true. The European Union and many other countries are taking extreme measures to ensure that what happened in the United States never happens with them and they are introducing a bunch of different measures to strengthen control over society, the media sphere, and other measures to ensure that no pedophile rings could be exposed.
"A 2024 report on child sex exploitation in Rochdale from 2004 to 2013 found that there was "compelling evidence" of widespread abuse, and that Greater Manchester Police and Rochdale Council had failed to properly investigate these cases, leaving girls "at the mercy of their abusers". While there were successful prosecutions, the report said that the investigations carried out during the period covered by the report only "scraped the surface" of what had happened, and that many abusers had gone unpunished."
As fatiguing as legal breach notices are to lay people, it's equally frustrating as a dev because security is not a distinguishing feature we can advertise in our product so we can't prioritize it at all. Let the lawyers figure it out later seems to be best practice now.
And of course vuln finding is now automated so even if we do a good job locking it down this morning, nothing will not keep out the next wave tonight.
Plus, our current political atmosphere encourages digital chaos, for example gutting CISA.
HN is a bit of a bubble in that people here tend to be quite privacy focused and would be horrified at the prospect of their details being leaked.
For a lot of normal people that's not the case and as long as they don't get someone actually stealing their identity etc. they aren't really concerned about these kind of things
Frustratingly, I have my foot in both worlds to a degree. I'm interested enough in tech to pay attention and often lurk the tech bubble that is HN and hear about the raging dumpster fires from the folks who live and work in that domain. But I exist in a mostly non-tech world IRL where this exists among the other burning dumpster fires to the point that I can't care about another data hack, and i hate that I don't have the bandwidth to care. To a more acute degree, my mother was nearly wiped of half her life savings by "hackers"/fraudsters posing as employees of her bank. Being "hacked" is a part of life now, and outrage fatigue is real.
> a giant pedophile ring has been exposed that no one in power seems interested in doing anything about
This was one of the things Trump got 2024 elected on - many Republican voters were extremely keen on this being addressed. I'm glad Trump's fumbled it now so the Democrats are interested in addressing it, though for the wrong reasons.
> so the Democrats are interested in addressing it
They're not any more interested in addressing it than the existing administration - it's just a talking point like everything else. Ammunition to get elected and then put away in a dark closet.
you hand-audit every update for every program you run? can you share your workflow to do this?
otherwise, i am not sure how you can possibly guarantee that the programs you are running "dont do shady shit" (or, "wont do shady shit" in the future). there have been several compromises of non-shady programs and libraries in recent memory.
>The comments that followed were a bit off the rails. There's no conspiracy here from Microsoft. But the Internet discussion wound up catching the attention of Microsoft, and a day later, the account was unblocked, and all was well. I think this is just a case of bureaucratic processes getting a bit out of hand, which Microsoft was able to easily remedy. I don't think there's been any malice or conspiracy or anything weird.
it was a bit crazy how quickly people got conspiracy-minded about it.
microsoft fucked up, and as per typical big-tech, only fixed it when noise got made on social media. but not everything is a grand conspiracy orchestrated by microsoft or the government or whatever. incompetence is always more likely than malice.
any news from the veracrypt maintainers? i would imagine whatever microsoft employee got tasked with resolving this issue would have also seen that one.
---
edit: well, i certainly underestimated the response to this comment. my mistake for using a common saying rather than being extremely explicit when it comes to something as emotionally charged as microsoft. i dont think i have seen a comment of mine go up and down points so many times before.
what i intended to get across was: "this was not a deliberate, coordinated, purposeful attack on the wireguard project, at the behest of some microsoft executive, to accomplish some goal of making encrypted communication impossible or whatever. instead, this was the result of a stupid system, with a stupid resolution process (social media), that is still awful, but different in important ways from a deliberate attack. this is the typical scenario (stupid system, stupid resolution). the non-typical scenario would be a deliberate choice made and executed by microsoft employees to suddenly destroy a popular project".
i shortened the above paragraph to the common saying "incompetence is always more likely than malice". i shouldnt have. my bad.
"Incompetence" of this degree is malice. It is actively malicious to create a system that automatically locks people out of their accounts with absolutely no possibility for human review or recourse short of getting traction in the media. "No sir, I didn't grind those orphans up. It was this orphan grinding machine I made that did it, teehee!"
i am positive that you understand the spirit of what that saying means.
incompetence is always more likely than [intentional, directed] malice.
microsoft employees did not deliberately attack the wireguard project with a goal of taking it down for whatever grand scheme people's hatred cooks up. if you have evidence that microsoft did this deliberately to ruin the wireguard project, please forward it along to jason (the wireguard maintainer) and several news outlets.
Where possible I recommend not caring because figuring out whether malice was present is difficult and you can likely address a problem without needing to be sure.
For example by creating working processes which never end up "accidentally" causing awful outcomes. This is sometimes more expensive, but we should ensure that the resulting lack of goodwill if you don't is unaffordable.
Worst case there is malice and you've now made it more difficult to hide the malice so you've at least made things easier for those who remain committed to looking for malice, including criminal prosecutors.
>Worst case there is malice and you've now made it more difficult to hide the malice so you've at least made things easier for those who remain committed to looking for malice, including criminal prosecutors.
i am quoting the maintainer of the project. take it up with them if you think microsoft coordinated a directed attack on their project.
I think you're missing the point of the person you're replying to.
It's really easy to end up with procedural machinery that makes it unpleasant for other entities that you don't like.
It seems to get the things that you do like and value less often. Why? Because you think about the consequences to what you consider important and you're inclined to ignore potential consequences to those you oppose or are competing with.
The Vogons weren't necessarily overtly malicious when they obliterated Earth.
Yes, the maintainer continues to be held hostage by Microsoft, so it is no surprise that they don't publicly denounce Microsoft or ascribe ill intent or in any way speak ill of Microsoft.
And the person you are responding is asserting that the response to incompetence of this level should be the SAME as if it directed and intentional malice. Which is a completely valid way to view a fuckup like this.
>response to incompetence of this level should be the SAME
sure.
but this was not a deliberate attack by microsoft employees to shutdown wireguard. that is what i was trying to say and the essence of the quote in question.
Microsoft drove a truck through a school yard at 150mph. It was not a deliberate attack, it was just the fastest route and their map says there's a highway there. Is it malice?
A certain level of recklessness is automatically malice.
in that case, it certainly wouldnt be called a deliberate attack, right?
the edit in my original comment should hopefully clear up any confusion of my intended point. and, well... the comment you replied to should also make it clear that my entire point is centered around something being deliberate attack vs. ridiculous incompetence.
the deliberateness of it is the entirety of the reason i wrote my comment. choosing the phrase "malice vs. incompetence" was a poor choice on my part, when i should have been extremely explicit. it would have avoided all of this back-and-forth.
whether something is a deliberate attack or not is not worth pointing out?
its, like, the only thing worth pointing out. if microsoft is deliberately targeting projects and literally attacking them, that would be huge fucking news. like crazy news. lawsuits galore.
Microsoft's incompetence is certainly reckless at a minimum, and often manifests in ways that come across as misanthropic toward their users. They don't really fit the pattern of mere bumbling fools.
Except that the system that removes culpability, visibility and consequences of this kind of abuse is set up deliberately to avoid liability and consequences of such actions.
This isn't a tee-hee accident, this is deliberate organizational design which removed any kind of bad consequences or even thought about what the software does to user from the engineers at Microsoft. They're happy about that. They now don't need to deal with that. And if you'll ask them, they will refuse a change that will make them responsible for abuse of their users.
and even with all of that in mind, this was not a coordinated microsoft attack against wireguard. which was my point.
i am in no way defending microsoft. just pointing out that the conspiracy-theorists suggesting that some exec at microsoft specifically targeted wireguard for whatever nefarious purpose was, well, a conspiracy.
You're trying to make a difference where there is none. Yes, they didn't say "we'll attack wireguard". They said "we'll setup our processes so apps like will end up being abused to save us effort", which is the same, just packaged into bureaucracy.
It's kind of bizarre how y'all pretend that systematic bearocratic evil doesn't exist. After being brainwashed about its evils in USSR for your young live.
i get that everyone has a frothing-at-the-mouth extreme hatred to microsoft and its employees. but microsoft did not say "fuck jason, fuck wireguard, lets try and shut that down". that would be a way different story.
i point out in my original comment that i think it is stupid that the only way to resolve this sort of thing is via social media. i think it is insane. and the lack of accountability is also crazy, given the influence microsoft (and other big tech) has over everyday life.
i think people are reading my comment as some sort of defense of microsoft. its not.
all i wanted to emphasize was that this incident, while obviously ridiculous, did not come about because a bunch of microsoft employees sat in a cigar-smoke filled room saying "lets destroy wireguard".
It's so unhelpful for people to get mad at made up crap. It completely weakens the impact of the pushback. Like if someone is in a position where people are getting mad over all sorts of made up stuff anyway, what's even the point of avoiding actually doing any of the things they're mad about? Might as well get something out of it if the downside doesn't change either way.
With the way things are going right now with all the corruption in governments and corporations were way past the point of giving the benefit of the doubt. These organizations are clearly making changes to their OS's to slowly remove user control.
Everything should be treat as suspicious moving forward and I am glad of the skepticism.
The question is, did they notify the user that the account was blocked, or was it done silently? My money is on the latter, obviously I don’t know, just my guess. Was there a reason? Blocked is semantically harsher, than it has been disabled.
yes, i am in agreement. i tried to be extremely clear in my edit that i think that the whole social media being the only way to get an account back is crazy stupid.
root programs are super specific about root cause analysis, what actions lead up to distrust, differentiating deliberate maliciousness from systemic incompetence, etc.
its like the exact opposite of "all this doesnt matter".
of course they still look at the outcome (danger to users, etc.), typically as a first step. but they take great care to determine exactly what lead up to a specific outcome.
It really depends on the scale of the breach, for example DigiNotar was immediately killed for their gross incompetence. In this case even the scale is unclear, with heavy suspicion towards malice and little hope on fixing any process inside that monstrous bureaucracy or even making it meaningfully care if it's not. I see no reason to trust Microsoft anymore, regardless of it being a fuckup or malice.
Microsoft has entitled itself to decide what I can and cannot run on the computer and OS that I paid for, this earns them no additional revenue, so they don't care to do a good job.
i think they have explicitly made it clear that they want to copilot all of the things (unfortunately), so i dont quite file it under the conspiracy label.
If it's not a conspiracy (and to be clear, I don't think it is one) its still a failure on multiple levels of the organisation
We can probably blame copilot for the email about new verification reqirements not going out to everyone. Maybe even for the reports of people who jumped through all the hoops and still got blocked as if they hadn't. But rolling out new verification reqirements, then not monitoring how many developers fulfill your new reqirements and following up is entirely on Microsoft employees. That's management failure and disregard for developers on their platform
"Personal information is information that identifies, relates to, or could reasonably be linked with you or your household."
and, you do have the rights set forth in the ccpa (know, delete, correct, limit exposure, etc.) regarding that data.
reply