United Health and its CEO did not kill anyone. They may have stolen people's money, not honored policies, etc., but such a corporate culture would have and should have been the road to financial ruin for United Health. Instead, thanks largely to misguided legislation at both state and federal levels, United Health and its associates have guaranteed income regardless of how inept or corrupt they may be. I find it beyond ironic that many of the folks who have been clamoring for government-sponsored healthcare are now the ones aghast at the state of health insurance in the country, even to the point of condoning murder.

The reality is that most civil laws in the US mean nothing until a lawyer gets involved. At the end of the day, most of these laws are written by lawyers who create more work for themselves and their industry. Until someone files suit, companies ignore compliance and complaints, and most consumers simply move on. Even then, rarely do you see a broad change in industry behavior. If there is a problem, the way to solve it is through consumer power, but when it comes to technology, most consumers are too short-sighted to see how they are being exploited.

"Washington Post's "Tech Friend" newsletter suggests ...." With such dangerously inaccurate reporting, I expect "Washington Post subject of Cyberattack" to be the next headline we read. Really, these generalizations are flat out wrong.

I'm not sure I would say "main," but backing up a bit, the fundamental question is does the vulnerability of our infrastructure derive from the malice of others using some sophisticated attack, or is it more a matter of institutional negligence? If a sinkhole opens up in a road because poor materials were chosen, the people doing the work lack qualification and supervision, and once in use, there was no maintenance of the road, I don't see the problem as a lack of regulation but a lack of accountability. I mean despite the talking heads, these attacks are not sophisticated. In most cases, they take advantage of unpatched vulnerabilities on software that is the equivalent of the Ford Pinto. My worry is that the same folks (or caliber of folks) who made the poor choices in the construction of this infrastructure will now be the ones in charge of this new regulation. Maybe they will get it right this time, but I think the problem is more elemental.

The ultimate philosophical and political transgression is hypocrisy. I find the philosophy of "let's make a law against" wildly incongruous with the tenets that gave rise to open-source and free software. Simply, let people choose. If we start making laws, no matter the apparent nobility of the goal, to favor one idea over another, then we have lost before we have even started. While there may be some concepts outlined in the bill worth pursuing, I find the overall thinking behind the proposition immature if not dangerous. Proprietary software is not the enemy. The enemy is weak thinking. And this bill seems spawned from the same knee-jerk thinking that has caused governments to eschew open-source solutions under the false premise that quality has cost a lot. So all the bill's sponsors seem to be doing is perpetuating superficial thinking rather than encouraging real contemplation and evaluation. I get it, in this day and age asking people to employ logic and build sound processes (rather than just running to the result) is incredibly frustrating. But we can't give up the ship. The ends never justify the means, and in a democratic process, the means are the ends.

Saying "security" and "web application" are mutually exclusive is both sweepingly broad and largely incorrect. In the two examples referenced in the article: Real-time phishing is not a weakness of the web but a broader one impacting a poor implementation of two-factor authentication; a phone transaction is just as susceptible to the attack as a web-based one, for example. In the second case of stealing a cookie, that is just an absurdly poorly designed system. Designed properly, a cookie is just one piece of maintaining state in a web application. It is easy and necessary to bake in additional checks (e.g., user-agent, IP address, time) to guard against someone stealing a cookie. Arguably, the statelessness of the web creates the potential for enhanced security; each and every request to the web server has to involve authentication. Unfortunately, that lesson is irrelevant to the business success of some startup. The modern entrepreneur paradigm is all based on market share - popularity - and not quality. Fundamentally, that's how come we end up with incredibly popular and incredibly crappy software. If you want to fix the problem, start holding CEOs and boards liable. Seriously, the company that puts blatantly poor software into market is being just as negligent as the transportation company that hires drunks with poor driving records or the construction company that chooses to build with sub-par materials.

If Jackie Singh really is a cybersecurity consultant, I doubt they said "encrypting." You might want to hash a social security number but that's different from encrypting. Regardless, the reason T-Mobile likely was storing SSNs was to facilitate credit checking and credit reporting. It's amazing the effort exerted in the US to regulate banking to protect the economy at the macro level but there is very little we do to protect individual economic interests. Something like a US. GDPR might help, but the reality is identity theft is a misnomer - there is very little about our identities that we own in the US as we have little practical control over how our information is bought, sold, traded.

SMS has never been two-factor authentication. It may be a component of two-step authentication, but all it proves is that you have access to a phone number that you already provided someone. Now, if Google handed you the phone in some secure manner and there was no way of intercepting an SMS message or forwarding it somewhere, then yes, it could function like a token and qualify as possession-based authentication to complement the knowledge-based factor used when you enter a password. But otherwise, it is not a real second factor.

Actually, in some ways, the math is a bit more alarming than that. The ratio of U.S. workers to beneficiaries has been on the decline for decades. As is tomorrow's workforce is going to struggle to fund government promises.

You have to connect the dots, but the reference to TeamViewer likely means this was not an authorized use of IT. Basically, the employee set up TeamViewer for his/her/etc. own convenience. Hence, when the employee left, all the normal credential policies were executed, but because no one knew about TeamViewer, it slid through the cracks. It's the Shadow IT problem. That said, they should have been checking for this, and by all means, should have employed the proper employee training (and consequences) to prohibit such things. Especially when dealing with federal, state, and municipal infrastructure, you're dealing with under-resourced departments and under-trained professionals. Combine that with massive institutional inertia and you have a sizable footprint to attack.

Those of an older lean may find this idea outlandish, but for those of a younger lean, this is incredibly sensible. If you are comfortable sharing every detail of your life on social media every day, why would you be worried about sharing your bandwidth? This is not going to scare the younger generation; it's going to attract them. Of course, it is an interesting debate as to whether Millennials have changed the economy or whether the economy has changed (at least temporarily) Millennials. Arguably, it's been the unchecked rise in college tuition that has resulted in the well-educated, younger generation who finds themselves missing out on the promise of capitalism; when you own nothing but debt, the share economy seems pretty good. It will be interesting to see how these attitudes shift as Millennials age and start having their own families. Privacy, individual ownership, financial planning, these things all take on more meaning when your own kids are involved.

Pretty much every e-commerce site before the early 2000s didn't rely on JavaScript - it took so long for a standard (ECMAScript) to emerge and then just as long as for the browser manufacturers to adopt it uniformly. Browser-side scripting is a nice to have, but you should never rely on it for content or functionality. The greater issue is most folks in charge of an organizational web site these days have no idea whether or how their site uses JavaScript. Good web development has gone the way of the standard transmission - practiced only by a relative handful who still want a full connection to their vehicle.

$20 trillion ... sorry, so apoplectic that, like Congress, I forget the zeroes some times.

We have a national debt exceeding $20 and growing, more than three times that in social security and medicare liability and this idiot is concerned about warning labels. It was a good run America.

Shocked, I tell you, that a company whose entire business model is advertising would use ever means at its disposal to advertise. Sorry to the Minionllenials out there, but how stupid can you be? I mean if some guy in a mask walked up and said "Hand me your wallet, it's for 'security" purposes." Would you? Think about it, what's being secured here? Are we that misguided or egotistical that we think it is a good idea to give up more personal information about ourselves in order to avoid the off chance that our account might be hijacked and our three followers misled by some fake post? No, the reality is it is far more likely that Twitter will have its backend database compromised at some point and with it your username, password hash, and phone number. You're not securing a damn thing by giving up your phone number. You're opening up your attack footprint.