Miscellaneous Tech News
- 
 
- 
 Redshell spyware discovered in quite a few games, both less well known and AAA titles (Civ VI being the one that hits closest to home): https://www.reddit.com/r/Steam/comments/8pud8b/psa_red_shell_spyware_holy_potatoes_were_in_space/. 
- 
 I think this is a frightening decision in allowing employees to seek punitive damages when an employee intentionally discloses PII in response to a phishing attempt: https://blog.knowbe4.com/heads-up-employees-sue-company-for-w-2-phishing-scam.-federal-court-decides-triple-damages. 
- 
 @kelly said in Miscellaneous Tech News: I think this is a frightening decision in allowing employees to seek punitive damages when an employee intentionally discloses PII in response to a phishing attempt: https://blog.knowbe4.com/heads-up-employees-sue-company-for-w-2-phishing-scam.-federal-court-decides-triple-damages. I think it's the right decision. 
- 
 @obsolesce said in Miscellaneous Tech News: @kelly said in Miscellaneous Tech News: I think this is a frightening decision in allowing employees to seek punitive damages when an employee intentionally discloses PII in response to a phishing attempt: https://blog.knowbe4.com/heads-up-employees-sue-company-for-w-2-phishing-scam.-federal-court-decides-triple-damages. I think it's the right decision. So if employee A sends out a file with PII then the employer has to pay punitive damages to employees B though ZZ? I think if there is a case for negligence on the part of the employer it would be appropriate, but it sounds like (from the blog post) that the court is punishing the company for the stupidity of one employee. 
- 
 @kelly said in Miscellaneous Tech News: So if employee A sends out a file with PII then the employer has to pay punitive damages to employees B though ZZ? Yeah, if the PII of employees B through ZZ was given out. 
- 
 @kelly said in Miscellaneous Tech News: think if there is a case for negligence on the part of the employer it would be appropriate, but it sounds like (from the blog post) that the court is punishing the company for the stupidity of one employee. Who else would it be? "A company" is made of people. When a mistake happens, it's always the fault of a person or persons. Where do you draw the line of accountability? If PII is released to the general public by "a company", yes they should be liable no matter how many employees took part in it. Ignorance is not an excuse... and rarely is. 
- 
 @obsolesce said in Miscellaneous Tech News: @kelly said in Miscellaneous Tech News: think if there is a case for negligence on the part of the employer it would be appropriate, but it sounds like (from the blog post) that the court is punishing the company for the stupidity of one employee. Who else would it be? "A company" is made of people. When a mistake happens, it's always the fault of a person or persons. Where do you draw the line of accountability? If PII is released to the general public by "a company", yes they should be liable no matter how many employees took part in it. Ignorance is not an excuse... and rarely is. The court decision is not punishing the ignorant person. They're punishing the entire company. This seems to me to be a ridiculous level of collective responsibility. Again, if the company was negligent in their responsibility to train and safeguard the information then I can see there being a case, but if the employee did something against training and policy then you end up in a very difficult place for employers. 
- 
 @kelly said in Miscellaneous Tech News: @obsolesce said in Miscellaneous Tech News: @kelly said in Miscellaneous Tech News: think if there is a case for negligence on the part of the employer it would be appropriate, but it sounds like (from the blog post) that the court is punishing the company for the stupidity of one employee. Who else would it be? "A company" is made of people. When a mistake happens, it's always the fault of a person or persons. Where do you draw the line of accountability? If PII is released to the general public by "a company", yes they should be liable no matter how many employees took part in it. Ignorance is not an excuse... and rarely is. The court decision is not punishing the ignorant person. They're punishing the entire company. This seems to me to be a ridiculous level of collective responsibility. Again, if the company was negligent in their responsibility to train and safeguard the information then I can see there being a case, but if the employee did something against training and policy then you end up in a very difficult place for employers. That's the responsibility employers take when they hire people. The employees make up the company, so the company is responsible for the employees actions regarding "company data". That it was an individuals action makes no difference that company data was misused (PII). 
- 
 Look at these corporate crime apoplogists. Seriously, corps need to be smacked down regularly. Even small ones. Companies being forcibly shut down for malfeasance should be a regular thing. 
- 
 @momurda said in Miscellaneous Tech News: Look at these corporate crime apoplogists. Seriously, corps need to be smacked down regularly. Even small ones. Companies being forcibly shut down for malfeasance should be a regular thing. Wow, you're calling me a corporate crime apologist? 
- 
 @kelly said in Miscellaneous Tech News: @momurda said in Miscellaneous Tech News: Look at these corporate crime apoplogists. Seriously, corps need to be smacked down regularly. Even small ones. Companies being forcibly shut down for malfeasance should be a regular thing. Wow, you're calling me a corporate crime apologist? Yeah, umm just what the fuck? Then again from some of his other posts I should not be surprised. 
- 
 @obsolesce said in Miscellaneous Tech News: @kelly said in Miscellaneous Tech News: @obsolesce said in Miscellaneous Tech News: @kelly said in Miscellaneous Tech News: think if there is a case for negligence on the part of the employer it would be appropriate, but it sounds like (from the blog post) that the court is punishing the company for the stupidity of one employee. Who else would it be? "A company" is made of people. When a mistake happens, it's always the fault of a person or persons. Where do you draw the line of accountability? If PII is released to the general public by "a company", yes they should be liable no matter how many employees took part in it. Ignorance is not an excuse... and rarely is. The court decision is not punishing the ignorant person. They're punishing the entire company. This seems to me to be a ridiculous level of collective responsibility. Again, if the company was negligent in their responsibility to train and safeguard the information then I can see there being a case, but if the employee did something against training and policy then you end up in a very difficult place for employers. That's the responsibility employers take when they hire people. The employees make up the company, so the company is responsible for the employees actions regarding "company data". That it was an individuals action makes no difference that company data was misused (PII). That is a bunch of bullshit. Let us assume that the company had policy and procedure in place as specified in the discussion point by @Kelly. How should the company be held liable for a rogue employee? Malicious or not. Use logic and give me facts. The company did everything they were supposed to do. 
- 
 @obsolesce said in Miscellaneous Tech News: @kelly said in Miscellaneous Tech News: @obsolesce said in Miscellaneous Tech News: @kelly said in Miscellaneous Tech News: think if there is a case for negligence on the part of the employer it would be appropriate, but it sounds like (from the blog post) that the court is punishing the company for the stupidity of one employee. Who else would it be? "A company" is made of people. When a mistake happens, it's always the fault of a person or persons. Where do you draw the line of accountability? If PII is released to the general public by "a company", yes they should be liable no matter how many employees took part in it. Ignorance is not an excuse... and rarely is. The court decision is not punishing the ignorant person. They're punishing the entire company. This seems to me to be a ridiculous level of collective responsibility. Again, if the company was negligent in their responsibility to train and safeguard the information then I can see there being a case, but if the employee did something against training and policy then you end up in a very difficult place for employers. That's the responsibility employers take when they hire people. The employees make up the company, so the company is responsible for the employees actions regarding "company data". That it was an individuals action makes no difference that company data was misused (PII). I'm not stating that there shouldn't be consequences and that the company needs to actually do something about what happened, but how is a company to avoid being shut down by the failure of an employee to do their job (again, I'm making an assumption that there were policies and training that were violated)? To make it more personal, think about the impact for you if the accountant at your company did this, a group of employees sued the company for punitive damages, and the company cut jobs and you lost yours. How can a company avoid this? Hiring better isn't the answer since intelligent, aware people get caught by this when they're stressed or in a hurry. 
- 
 @jaredbusch said in Miscellaneous Tech News: @obsolesce said in Miscellaneous Tech News: @kelly said in Miscellaneous Tech News: @obsolesce said in Miscellaneous Tech News: @kelly said in Miscellaneous Tech News: think if there is a case for negligence on the part of the employer it would be appropriate, but it sounds like (from the blog post) that the court is punishing the company for the stupidity of one employee. Who else would it be? "A company" is made of people. When a mistake happens, it's always the fault of a person or persons. Where do you draw the line of accountability? If PII is released to the general public by "a company", yes they should be liable no matter how many employees took part in it. Ignorance is not an excuse... and rarely is. The court decision is not punishing the ignorant person. They're punishing the entire company. This seems to me to be a ridiculous level of collective responsibility. Again, if the company was negligent in their responsibility to train and safeguard the information then I can see there being a case, but if the employee did something against training and policy then you end up in a very difficult place for employers. That's the responsibility employers take when they hire people. The employees make up the company, so the company is responsible for the employees actions regarding "company data". That it was an individuals action makes no difference that company data was misused (PII). That is a bunch of bullshit. Let us assume that the company had policy and procedure in place as specified in the discussion point by @Kelly. How should the company be held liable for a rogue employee? Malicious or not. Use logic and give me facts. The company did everything they were supposed to do. It is a FACT, that employees can not be sued due to negligence. Another fact, employees can be sued, if they act fraudulently or commit acts of intentional wrongdoing (malicious intent) beyond the scope of their authority... but this was not the case. 
- 
 Exactis - Another gigantic leak of data. 
- 
 @wrx7m said in Miscellaneous Tech News: Exactis - Another gigantic leak of data. And this is why the Red Shell "analytics" software is not a good idea even if they will only use it for benign purposes. 
- 
 
- 
 Agentless Linux vulnerability scanner looks interesting: https://n0where.net/linux-vulnerability-scanner-vuls. 
- 
 Gentoo code on Github has "been totally pwned": https://nakedsecurity.sophos.com/2018/06/29/linux-distro-hacked-on-github-all-code-considered-compromised/. 





