#Tag · bonfire.cafe

Hey #discord . Why the hell would we give you our ID when you've already exposed the ID of the folks who have already given you their ID?

"We're now using a different vendor who haven't yet leaked everyone's IDs and we keep your data for the smallest possible period of time!"

Every organization will have a data breach eventually. The question is when affected users will find out and what data you had in the first place.

The fact that your new vendor has not yet had a known breach doesn't mean that they're safe. It doesn't even mean they haven't had a breach yet! It just means any breaches are, as yet, unknown.

A fundamental principle of PII is that you should not gather data unless you have a sufficient justification for doing so that cannot be handled without having that data.

Your justification is nonexistent for you ever having this information. Therefore ever having it is not justifiable. If our legal systems allowed the full consequences of that inappropriate data collection to fall on your shoulders where it belongs, no insurance company would ever agree to insure you while you are gathering this data. No matter how little a period of time you purport to have it.

#RiskManagement #PII #PI2 #Technology

Badalich also says after the October data breach, Discord “immediately stopped doing any sort of age verification flows with that vendor” and is now using a different third-party vendor. She adds that, “We’re not doing biometric scanning [or] facial recognition. We’re doing facial estimation. The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.”

The Verge

Discord will require a face scan or ID for full access next month

Age verification for all.

Hacker News

@h4ckernews@mastodon.social · last month

The battle to stop clever people betting

https://www.economist.com/christmas-specials/2025/12/18/the-battle-to-stop-clever-people-betting

#HackerNews #cleverbetting #bettingregulations #gamblingnews #economictheory #riskmanagement

The Economist

The battle to stop clever people betting

The tools bookmakers use to block data-savvy gamblers, and how to get round them

Alex Akselrod boosted

Ian Campbell

@neurovagrant@masto.deoan.org · 6 months ago

Incident Response company Profero on "AI-induced destruction" - a new incident category that they say now makes up 25% of their calls in which AI coding assistants deployed by legitimate insiders wreak havoc.

#infosec #RiskManagement

https://profero.io/blog/new-attack-vector--ai-induced-destruction

Ian Campbell

@neurovagrant@masto.deoan.org · 6 months ago

#infosec #RiskManagement

https://profero.io/blog/new-attack-vector--ai-induced-destruction

Ian Campbell

@neurovagrant@masto.deoan.org · 6 months ago

"The Dam Seems To Be Breaking" - and not in good ways.

This was a grim but good read from Fred Cohen.

#cybersecurity #GenAI #RiskManagement

https://managementanalytics.substack.com/p/the-dam-seems-to-be-breaking

PDF Link: http://all.net/Analyst/2025-08.pdf

Coffee

@coffee@cafecreature.club · 7 months ago

Cybersecurity, risk management, long post, brainstorming

Hey folks, I'm currently working on a thing for a company, and I need a brainstorm buddy as my team went on a corporate retreat.

It has to do with risk management.

Let's say we have a qualitatively assessed risk that was initially based mostly on vibes rather than solid data.

Now let's say we have an incident that stems from this specific risk. At the end of the incident, we need to re-assess the risk based on the data we collected.

Now, the requirement is a risk model that accommodates a shift from qualitative assessment to quantitative, starting with a single occurrence.

Anyone knows any papers on the topic or dealt with something similar? From my past experience quantitative risk in cybersec is mostly bullshit anyway and everyone just kind of makes up numbers, especially for probability/frequency, just so they can get a bigger budget approved, which kind of goes against the spirit of risk management in my eyes.

My current train of thought is the following:
The risk model should calculate the risk not based on the traditional impact * probability formula, but something more detailed, like a weighted score based on the threat characteristics multiplied by asset value divided by current defence capability multiplied by real-world statistics.
Based on the incident, we first adjust our threat model, possibly tweaking some numbers, then have a critical look at our capability and adjust that based on the results of the root cause analysis, and then add a statistical multiplier with the default value of 1.

Then for every incident within the same year we multiply the statistical multiplier by 2, and every year without this risk being triggered we divide it by 2.

Also every year a threat model gets reviewed based on OSINT, updated, risks get recalculated.

Also also every year the independent audit cycle happens, controls get assessed, maturity scores get updated, risks get recalculated.

At that point the risk team only needs to get threat modelling reports, audit reports, new asset inventories, and interview asset owners to verify there were no changes in asset value.

Thoughts?

#infosec #infosecurity #informationsecurity #cyber #cybersec #cybersecurity #riskmanagement