> As long as the penalties for data breach are a slap on the wrist and buying everyone one year of credit monitoring, no one will.
And, of course, that one year is totally useless when one is subject to multiple breaches per year. Throw in the fact that so many breaches aren't even with a company that affected individuals have a direct relationship with, and it becomes virtually impossible to fix this.
At this point, I'd be in favor of making any company that handles personal data pay in advance for the monitoring, and get refunded when they prove that that OR THEIR PROVIDERS haven't had a data breach.
> I'd be in favor of making any company that handles personal data pay in advance
How about we start with some strict data privacy and handling laws? Make it so you straight up just can't collect & store personal information without proving that it's required and without it your business would not work (and no, data harvesting for advertising/marketing doesn't count).
Security is the problem, but it would be less of a problem if everyone wasn't trying to hoard as much data as possible from their customers for seemingly no reason at all. Take a scroll through the Play Store/App Store and look how many really simple apps request permissions for camera, microphone, location, local network, etc. for something like a metronome app that needs none of that.
There is a reason for hoarding data: it’s an asset on the balance sheet. So long as it is legal to liquidate data for cash, there will be incentives to collect and keep it.
Or at least make it a liability on the balance sheet rather than an asset. Sure, you can store as much user data as you want. Oh, what's that, if it leaks you owe each user $10,000 under the new law?
What about making them put up a hefty bond proportional to the sensitivity and scale of the data collected, which is forfeit to any potentially affected users in the event of a breach.
How about pay the user whose data has been collected. It's their data. If we are the product, we should get paid for being used! And we should get paid a whole lot more (multiples) for the exposure of a leak.
The real riches are in starting a credit monitoring company. Vibe coded, of course, and if you have a data breach, then it's a perpetual motion machine.
The fact that the average joe can't start their own credit monitoring company as competition and the incumbents get away clean everytime they screw up says a lot about "capitalism" as we practice it
Monitoring is a joke. We need legislation with real teeth. Companies which don't protect the user data they've been entrusted with should go bankrupt, to make way for those who actually care.
> He got the prompt, asked questions about throughput requirements (etc.), and said, “okay, I’d put it all in Postgres.” He was correct! Postgres could more than handle the load.
I had this happen in a Google interview. I did back of the envelope math on data size and request volume and everything (4 million daily events, spread across a similar number of buckets) and very little was required beyond that to meet performance, reliability, and time/space complexity requirements. Most of the interview was the interviewer asking "what about" questions, me explaining how the simple design handled that, and the interviewer agreeing. I passed, but with "leans" vs. "strong" feedback.
To be fair, the simple answer is not so simple within Google.
The issue is that Google achieves reliability by insisting on n+2/n+1. Globally your service is in at least 2 more data centers than is required for full load. In each region in at least 1 more data center than is required for full load.
If you're using the Google toolchain, all of the scalability and fallover problems are automatically handled by the layers that you're relying on. Which everyone expects you to use, because they are already integrated into the environment.
But if you go to use Postgres as a data storage layer, then you also need to take care of replication, failover, backup, and make sure that this is integrated with the automated systems that Google already has to detect when this is needed. Even after you've done that, people from outside of your team will need to be convinced that you've done that. Simply because you're doing things differently, you'll get extra scrutiny.
As a result, even if Postgres would have worked perfectly well, it is usually not the optimal answer for someone who is working within Google's environment. Don't think of it in terms of, "Does this do the job?" Think about it in terms of, "Can those in the broader organization easily certify that this does the job?" That certification is easier when you use standardized parts that are themselves already certified within the organization.
My guess is that your interviewer was aware of this. And was left with, "What about that question that I didn't think to ask you about?"
If you're interviewing at Google, the expected answer to the interview question can't be to use Google's internal tools. "Use Postgres" is the standardized, understandable answer for anyone outside Google who needs to solve Postgres-shaped and Postgres-sized problems.
No, that can't be the expected answer. And indeed, use Postgres was an accepted answer.
But when the interviewer keeps pushing back, that's an invitation for the candidate to ask why, and ask what about the environment might make that not a good fit within Google. Doing that gives a stronger hire signal.
FWIW, that was the second time I interviewed at Google. The first time, which resulted in strong yes across the board at L7, the first system design was to design Youtube Video Upload. The second was a more practical problem about replacing a high-volume logging component where correctness was critical but environment was space-constrained (i.e. no ability to run old + new in parallel).
Those were my favorite system design rounds ever, thanks to the problems being interesting and the interviewers also being very dynamic. It was also pre-Covid, so it was just awesome whiteboard design sessions.
I worked at a no longer extant networking equipment manufacturer as an intern in college in the late 1990's. My role was to work on software for an in-development 45Gb network switch, and a bunch of the software I wrote ran on prototype boards.
Since fabricating new boards took time and was expensive, a lot of work was done to make in situ modifications that involved an insane amount of wirewrapping. One member of the team did that all day, every day as their full time job, and I was always amazed by their ability to focus consistently at that level for so long.
I don't know where my car keys are, but I still remember a significant portion of the "Our Father" that I had to memorize in Old English in the early 1990's.
> Also, _Discord_ deleting them is really only half the battle; random vendors deleting them remains an issue.
This really is the issue. Of the 5 or so data breach notifications I received last year, none are from an entity I have a direct relationship with. They're all from a vendor used directly or indirectly by these entities.
The real answer is more serious penalties for having data breaches. Having 6 concurrent "identity monitoring" services is of zero value to me.
>The wider implications of this are left to the reader.
IMHO, it's actually worse than we realize. The Medical Loss Ratio requirement is good because it requires insurance companies to spend 80% or 85% of premiums on health care. It's bad because one way for insurance companies to make more money is to have inflated health care prices to justify increasing premiums so they can get 80% of a bigger pie. It also gives them incentives to provide care themselves so they can capture some of that 80% spend.
> For the uninsured this sort of thing is actually really common. Had an online friend who had to get emergency treatment and they sent him a bill for $20k.
I experienced this personally with my own insurance. My bill was over $20k, and it took a year to convince the insurance company that removing a few feet of my intestines was actually emergency surgery. I ended up paying $800. My roommate in the hospital had no insurance and ended up not paying anything (which I did not begrudge them at all, since the reason for no insurance was debilitating back pain that led to unemployment)
Or, the likelier explanation, is that health insurance prices are highly regulated and have to get their prices approved by a government official(s), and B) they don't have a lot of pricing power due to the competition and they are not colluding.
See almost any of the proxy filings and you will see much of the compensation is based on hitting targets other than just revenue, and most of the compensation itself is equity:
> since another insurance company would just steal their customers by having lower
LOL. Meanwhile, in real-life America, there are only four or five major carriers that control the market, and none of them are incentivized to do this "competition" thing you speak of by engaging in damaging price wars. Why would they when continuing to be part of the problem makes them more and more profits each year? See also: military contracting. Do you see them constantly undercutting each other? No, they buy each other, reducing the number of bidders on every contract.
And in real-life America, the only people health insurance companies engage in price wars with is the state insurance regulator who gets to deny requested price increases.
Fascinating observation, thanks for challenging my assumptions here. Just seems to further point out how useless health insurers are, even to their shareholders.
My most sincere wish is that all insurers would be nationalized, every last employee summarily fired, and their HQs all imploded and replaced with memorials to all the people whose lives they have cut short over the years. Not a thing of value would be lost IMO. Worse than paying people to dig holes and fill them in again.
Four or five competitors is plenty for a healthy market.
Where I live, they do compete on price - prices vary by about 30% for similar coverage. They can't engage in the kind of price war you're thinking of since insurance companies, by law, have to maintain a fund able to cover costs, have to get rate changes approved by regulators and are largely banned from price discrimination.
I understand the desire to shift blame entirely onto insurance companies rather than providers. After all, one is all about money and the other is seemingly all about healing.
Heck, when a provider does bill people directly because an insurance company refused to pay, we blame insurance companies - even when the charges on those bills are highway robbery - like those in the article itself.
The fact is, the net cost of health insurance was about $279 billion in 2022. Meanwhile, $3.7 trillion went to healthcare providers, pharmacies and the like for care. The ones who stand the most to gain from higher prices are providers.
Frankly, decades of lobbying from the healthcare provider lobby to enrich themselves should have made it this obvious, but sadly, people see doctors as selfless angels and it blinds them.
Aren't they doing some kind of turf non compete agreement like isps do?
I had read that comcast won't go into century link territory and viceversa, and something along those lines for the major isps, in order be local monopolies and set prices as they like.
My dad died of cancer when I was 26, and I had very frequent
dreams where it felt like he was real and present, though never speaking or interacting directly with me. The grief persisted for years.
Nearly 25 years later, my mom passed away this summer, and it's been a totally different experience. The grief was just as intense as when my dad passed, but contained to a few weeks.
In general, many (most?) internet plans specifically prohibit running a web server with a residential account. A business account would be necessary in these cases.
The very first DVD player I ever purchased was a Pioneer model with all the possible outputs, from composite to component video, 5.1 discrete audio channels, and coax + optical digital audio outs.
I purchased it somewhere in the 1996 to 1998 timeframe. When I graduated to Blu-Ray, I gave it to my mother who used it once or twice a week up until she passed away this year.
Obviously that's purely anecdotal, but that one unit was a workhorse.
I have a Pioneer DVD player of the same vintage, and it's still working to this day. The remote is sturdy, too. Currently lives in a summer house but gets regular use.
And, of course, that one year is totally useless when one is subject to multiple breaches per year. Throw in the fact that so many breaches aren't even with a company that affected individuals have a direct relationship with, and it becomes virtually impossible to fix this.
At this point, I'd be in favor of making any company that handles personal data pay in advance for the monitoring, and get refunded when they prove that that OR THEIR PROVIDERS haven't had a data breach.
reply