Mixing
Is it safer to trust software/company that has been hacked in the past?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
Which is better, when you have choices between 2 competing products:
- First one, which has never been publicly reported about being hacked or having security holes
or
- Second one, which has had bad days in the past, and was hacked (critical leakage) 1-2 times in recent years (which has been then fixed).
The argument which comes to my mind is to lean toward the 2nd choice. The 1st product developers could become loyal, used to think that their product is not vulnerable and don't much care about that, while the 2nd product's developers & management should definitely be worrying & working hard (if they are competent) on security details and development, to raise their reputation.
What is the stronger argument toward any of them?
audit
asked 1 hour ago
T.Todua
1,17731019
add a comment |Â
up vote
1
down vote
favorite
Which is better, when you have choices between 2 competing products:
- First one, which has never been publicly reported about being hacked or having security holes
or
- Second one, which has had bad days in the past, and was hacked (critical leakage) 1-2 times in recent years (which has been then fixed).
The argument which comes to my mind is to lean toward the 2nd choice. The 1st product developers could become loyal, used to think that their product is not vulnerable and don't much care about that, while the 2nd product's developers & management should definitely be worrying & working hard (if they are competent) on security details and development, to raise their reputation.
What is the stronger argument toward any of them?
audit
asked 1 hour ago
T.Todua
1,17731019
1
Two points: a) No, the employees of a hacked big company are not working harder etc. In a average corporate setting, the relevant employees wait until management gives them time/money/directions etc. for improving security, and the relevant manager doesn't because he has no idea what they need. Bottom line is that on the long term nothing improves.
– deviantfan
1 hour ago
1
b) A big factor is the reason for being hacked. I'd rather go to someone not noticing the NSA broke in, rather to someone who noticed a grade schooler used an SQL injection to delete all data.
– deviantfan
1 hour ago
@deviantfan why not you convert these comment into post ? as its nice answer, i will definitely upvote.
– T.Todua
1 hour ago
I don't think that these information provide sufficient information to decide which product to prefer. A product might not be ever hacked since it is not worth (i.e. nobody uses it) but also because it was designed with security and robustness in mind everywhere. A product might be hacked because the companies/developers don't care and/or have no idea what they are doing or it might be hacked because it is heavily used in important places so an attacker puts lots of effort into hacking it. I therefore propose to close the question as too broad or since answers will be primarily opinion based.
– Steffen Ullrich
15 mins ago
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Which is better, when you have choices between 2 competing products:
- First one, which has never been publicly reported about being hacked or having security holes
or
- Second one, which has had bad days in the past, and was hacked (critical leakage) 1-2 times in recent years (which has been then fixed).
The argument which comes to my mind is to lean toward the 2nd choice. The 1st product developers could become loyal, used to think that their product is not vulnerable and don't much care about that, while the 2nd product's developers & management should definitely be worrying & working hard (if they are competent) on security details and development, to raise their reputation.
What is the stronger argument toward any of them?
audit
asked 1 hour ago
T.Todua
1,17731019
Which is better, when you have choices between 2 competing products:
- First one, which has never been publicly reported about being hacked or having security holes
or
- Second one, which has had bad days in the past, and was hacked (critical leakage) 1-2 times in recent years (which has been then fixed).
The argument which comes to my mind is to lean toward the 2nd choice. The 1st product developers could become loyal, used to think that their product is not vulnerable and don't much care about that, while the 2nd product's developers & management should definitely be worrying & working hard (if they are competent) on security details and development, to raise their reputation.
What is the stronger argument toward any of them?
audit
audit
asked 1 hour ago
T.Todua
1,17731019
asked 1 hour ago
T.Todua
1,17731019
edited 1 hour ago
asked 1 hour ago
T.Todua
1,17731019
asked 1 hour ago
T.Todua
1,17731019
asked 1 hour ago
T.Todua
1,17731019
1,17731019
1
Two points: a) No, the employees of a hacked big company are not working harder etc. In a average corporate setting, the relevant employees wait until management gives them time/money/directions etc. for improving security, and the relevant manager doesn't because he has no idea what they need. Bottom line is that on the long term nothing improves.
– deviantfan
1 hour ago
1
b) A big factor is the reason for being hacked. I'd rather go to someone not noticing the NSA broke in, rather to someone who noticed a grade schooler used an SQL injection to delete all data.
– deviantfan
1 hour ago
@deviantfan why not you convert these comment into post ? as its nice answer, i will definitely upvote.
– T.Todua
1 hour ago
I don't think that these information provide sufficient information to decide which product to prefer. A product might not be ever hacked since it is not worth (i.e. nobody uses it) but also because it was designed with security and robustness in mind everywhere. A product might be hacked because the companies/developers don't care and/or have no idea what they are doing or it might be hacked because it is heavily used in important places so an attacker puts lots of effort into hacking it. I therefore propose to close the question as too broad or since answers will be primarily opinion based.
– Steffen Ullrich
15 mins ago
add a comment |Â
1
Two points: a) No, the employees of a hacked big company are not working harder etc. In a average corporate setting, the relevant employees wait until management gives them time/money/directions etc. for improving security, and the relevant manager doesn't because he has no idea what they need. Bottom line is that on the long term nothing improves.
– deviantfan
1 hour ago
1
b) A big factor is the reason for being hacked. I'd rather go to someone not noticing the NSA broke in, rather to someone who noticed a grade schooler used an SQL injection to delete all data.
– deviantfan
1 hour ago
@deviantfan why not you convert these comment into post ? as its nice answer, i will definitely upvote.
– T.Todua
1 hour ago
I don't think that these information provide sufficient information to decide which product to prefer. A product might not be ever hacked since it is not worth (i.e. nobody uses it) but also because it was designed with security and robustness in mind everywhere. A product might be hacked because the companies/developers don't care and/or have no idea what they are doing or it might be hacked because it is heavily used in important places so an attacker puts lots of effort into hacking it. I therefore propose to close the question as too broad or since answers will be primarily opinion based.
– Steffen Ullrich
15 mins ago
1
1
Two points: a) No, the employees of a hacked big company are not working harder etc. In a average corporate setting, the relevant employees wait until management gives them time/money/directions etc. for improving security, and the relevant manager doesn't because he has no idea what they need. Bottom line is that on the long term nothing improves.
– deviantfan
1 hour ago
Two points: a) No, the employees of a hacked big company are not working harder etc. In a average corporate setting, the relevant employees wait until management gives them time/money/directions etc. for improving security, and the relevant manager doesn't because he has no idea what they need. Bottom line is that on the long term nothing improves.
– deviantfan
1 hour ago
1
1
b) A big factor is the reason for being hacked. I'd rather go to someone not noticing the NSA broke in, rather to someone who noticed a grade schooler used an SQL injection to delete all data.
– deviantfan
1 hour ago
b) A big factor is the reason for being hacked. I'd rather go to someone not noticing the NSA broke in, rather to someone who noticed a grade schooler used an SQL injection to delete all data.
– deviantfan
1 hour ago
@deviantfan why not you convert these comment into post ? as its nice answer, i will definitely upvote.
– T.Todua
1 hour ago
@deviantfan why not you convert these comment into post ? as its nice answer, i will definitely upvote.
– T.Todua
1 hour ago
I don't think that these information provide sufficient information to decide which product to prefer. A product might not be ever hacked since it is not worth (i.e. nobody uses it) but also because it was designed with security and robustness in mind everywhere. A product might be hacked because the companies/developers don't care and/or have no idea what they are doing or it might be hacked because it is heavily used in important places so an attacker puts lots of effort into hacking it. I therefore propose to close the question as too broad or since answers will be primarily opinion based.
– Steffen Ullrich
15 mins ago
I don't think that these information provide sufficient information to decide which product to prefer. A product might not be ever hacked since it is not worth (i.e. nobody uses it) but also because it was designed with security and robustness in mind everywhere. A product might be hacked because the companies/developers don't care and/or have no idea what they are doing or it might be hacked because it is heavily used in important places so an attacker puts lots of effort into hacking it. I therefore propose to close the question as too broad or since answers will be primarily opinion based.
– Steffen Ullrich
15 mins ago
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
It is safer to trust the product that has been tested thoroughly and has had weaknesses fixed. Many times, a successful hack can act as a form of robust test.
But being hacked does not equate to being safer unless the underlying problem has been fixed.
A product that has not been tested, and hence, has not been fixed, provides a false sense of security in that the product has "never had a problem". That's why penetration tests, audits, bug bounties, and public disclosures are useful.
But being hacked, or tested, means nothing without proper fixes to the underlying weaknesses. Adobe Flash has been fixed countless times, but it never become more secure because the underlying problems were never properly addressed.
RSA encryption has never been hacked, but has been tested thoroughly. One should not trust the encryption algorithm that has been hacked in the past.
It's not about the hacks, but about how it was fixed.
answered 1 hour ago
schroeder♦
67.1k25141178
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
It is safer to trust the product that has been tested thoroughly and has had weaknesses fixed. Many times, a successful hack can act as a form of robust test.
But being hacked does not equate to being safer unless the underlying problem has been fixed.
A product that has not been tested, and hence, has not been fixed, provides a false sense of security in that the product has "never had a problem". That's why penetration tests, audits, bug bounties, and public disclosures are useful.
But being hacked, or tested, means nothing without proper fixes to the underlying weaknesses. Adobe Flash has been fixed countless times, but it never become more secure because the underlying problems were never properly addressed.
RSA encryption has never been hacked, but has been tested thoroughly. One should not trust the encryption algorithm that has been hacked in the past.
It's not about the hacks, but about how it was fixed.
answered 1 hour ago
schroeder♦
67.1k25141178
add a comment |Â
up vote
2
down vote
It is safer to trust the product that has been tested thoroughly and has had weaknesses fixed. Many times, a successful hack can act as a form of robust test.
But being hacked does not equate to being safer unless the underlying problem has been fixed.
A product that has not been tested, and hence, has not been fixed, provides a false sense of security in that the product has "never had a problem". That's why penetration tests, audits, bug bounties, and public disclosures are useful.
But being hacked, or tested, means nothing without proper fixes to the underlying weaknesses. Adobe Flash has been fixed countless times, but it never become more secure because the underlying problems were never properly addressed.
RSA encryption has never been hacked, but has been tested thoroughly. One should not trust the encryption algorithm that has been hacked in the past.
It's not about the hacks, but about how it was fixed.
answered 1 hour ago
schroeder♦
67.1k25141178
add a comment |Â
up vote
2
down vote
up vote
2
down vote
It is safer to trust the product that has been tested thoroughly and has had weaknesses fixed. Many times, a successful hack can act as a form of robust test.
But being hacked does not equate to being safer unless the underlying problem has been fixed.
A product that has not been tested, and hence, has not been fixed, provides a false sense of security in that the product has "never had a problem". That's why penetration tests, audits, bug bounties, and public disclosures are useful.
But being hacked, or tested, means nothing without proper fixes to the underlying weaknesses. Adobe Flash has been fixed countless times, but it never become more secure because the underlying problems were never properly addressed.
RSA encryption has never been hacked, but has been tested thoroughly. One should not trust the encryption algorithm that has been hacked in the past.
It's not about the hacks, but about how it was fixed.
answered 1 hour ago
schroeder♦
67.1k25141178
It is safer to trust the product that has been tested thoroughly and has had weaknesses fixed. Many times, a successful hack can act as a form of robust test.
But being hacked does not equate to being safer unless the underlying problem has been fixed.
A product that has not been tested, and hence, has not been fixed, provides a false sense of security in that the product has "never had a problem". That's why penetration tests, audits, bug bounties, and public disclosures are useful.
But being hacked, or tested, means nothing without proper fixes to the underlying weaknesses. Adobe Flash has been fixed countless times, but it never become more secure because the underlying problems were never properly addressed.
RSA encryption has never been hacked, but has been tested thoroughly. One should not trust the encryption algorithm that has been hacked in the past.
It's not about the hacks, but about how it was fixed.
answered 1 hour ago
schroeder♦
67.1k25141178
edited 1 hour ago
answered 1 hour ago
schroeder♦
67.1k25141178
answered 1 hour ago
schroeder♦
67.1k25141178
answered 1 hour ago
schroeder♦
67.1k25141178
67.1k25141178
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195691%2fis-it-safer-to-trust-software-company-that-has-been-hacked-in-the-past%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
Two points: a) No, the employees of a hacked big company are not working harder etc. In a average corporate setting, the relevant employees wait until management gives them time/money/directions etc. for improving security, and the relevant manager doesn't because he has no idea what they need. Bottom line is that on the long term nothing improves.
– deviantfan
1 hour ago
1
b) A big factor is the reason for being hacked. I'd rather go to someone not noticing the NSA broke in, rather to someone who noticed a grade schooler used an SQL injection to delete all data.
– deviantfan
1 hour ago
@deviantfan why not you convert these comment into post ? as its nice answer, i will definitely upvote.
– T.Todua
1 hour ago
I don't think that these information provide sufficient information to decide which product to prefer. A product might not be ever hacked since it is not worth (i.e. nobody uses it) but also because it was designed with security and robustness in mind everywhere. A product might be hacked because the companies/developers don't care and/or have no idea what they are doing or it might be hacked because it is heavily used in important places so an attacker puts lots of effort into hacking it. I therefore propose to close the question as too broad or since answers will be primarily opinion based.
– Steffen Ullrich
15 mins ago