After the last Circle CI breach, we were all really annoyed about the way it was handled, IMO It was dishonest and lacked the required transparency for such a breech, we were all quite annoyed and ready to move on, but we've just plugged on using the product like nothing happened.
GitHub was similar, they published their freaking private keys accidently, which should raise some major red flags, we're all just going about our business with GitHub.
I was down voted hard and fast for my original comment but I'd like to see someone actually disprove my point. I've been in this game way too long to know that almost no security issue matters in the eyes of consumers so long as the company offers decent products and has a great marketing team.
I'm ideologically opposed to this lack of inaction and I think you're right, you'd need some type of financial disincentive to change people...
Social media itself is a type of privacy breech and people actually openly engage with it.
Isn't the issue that, if you switch away from a service after an incident, it doesn't necessarily mean that the alternative is going to necessarily be better? GitHub clearly did things poorly, but is Gitlab or Bitbucket better? Or have they just not happened to have messed up publicly yet/recently? Is swapping away just playing musical chairs at high cost to your dev team having to constantly migrate until you've run out of services to migrate to?
I don't say this to imply that everyone is equally bad, but to question if is obviously as illogical as you seem to think it is to stick with a company that's had a major security debacle. What certification can you get from another CI vendor about their security procedures that CircleCI wouldn't have given you 2 years ago, or your internal Jenkins team wouldn't have offered?
This is sort of what I mean. The fact that one vendor is bad at security has no particular bearing on if their competition is better, or if there's a more secure option you could run internally.
Sure, we've learned that Azure is less secure than we may have thought last week, but is AWS or GCP better? Or have they just not been uncovered for their issues yet? Or maybe they had their big security issue last year. Once everyone's had a big problem, what do you do? Make up some scoring system and keep re-migrating your company to whoever currently has the lowest "security mistakes" score?
Take a lesson from the Lock Picking Lawyer. You don't need three impervious locks, two AirTags, and a Klaxon alarm on your bicycle, you only need a stronger lock than everyone else parked next to you.
And when a bear attacks you and your buddy, you don't need to outrun the bear, you just need to outrun your buddy.
On second thought, I'm not sure any of this philosophically applies to Cybersecurity, given the low cost of entry, stealth and anonymity, and the ability to mount massively parallel, unattended attacks.
I think the bigger difference is between targets: the US government is going to be targeted by a ton of folks who don't care about me or you or most folks on HN, even if US gov security is tougher than a random individual's.
GitHub was similar, they published their freaking private keys accidently, which should raise some major red flags, we're all just going about our business with GitHub.
I was down voted hard and fast for my original comment but I'd like to see someone actually disprove my point. I've been in this game way too long to know that almost no security issue matters in the eyes of consumers so long as the company offers decent products and has a great marketing team.
I'm ideologically opposed to this lack of inaction and I think you're right, you'd need some type of financial disincentive to change people...
Social media itself is a type of privacy breech and people actually openly engage with it.