This will leave your users vulnerable to man-in-the-middle attacks. If I control the router between their computer and the Internet, I can serve back a HTTP page which doesn't redirect, and trick them to enter their password (for example).
It can't, that is what preloading is for. Your browsers comes preloaded with a list of all sites that have requested HSTS preload, so your browser will use HTTPS even on the first visit. This is why preloading on all subdomains is potentially dangerous to use, it could break your site if you don't have HTTPS everywhere.
But even without preloading HSTS will improve security. Yes, the first visit will be susceptible to MITM, but every visit after that is not. This makes it a lot more difficult for an attacker as they must intercept the very first visit for the attack to work.
And because the preload list is hierarchical whole swathes of the Web can be covered with a single entry. .dev is the biggest example, but they can protect all the stack exchanges, all the default blogspot blogs, that sort of thing.
It can't! But after the first time it's been contacted, when you contact it again HSTS will enforce HTTPS (from the client itself - much stronger than a redirect).
It doesn't have to be expensive, either in financial terms, opportunity cost or other people's time. That's exactly the problem we've solved with Skiller Whale - we make good training easy.
Form a limited company and run the site from that. If you're prepared to shut the site down anyway, then that remains the worst thing that can happen for non-compliance.
There's no need to shut the thing down just in case someone sues you when that hasn't happened yet.
On the other hand, there's a good reason to shutter your site because you don't have time to make it respectful of people's privacy. By all means, shut down your site because the GDPR makes you realise that! But that's not what OP is saying.
It seems like more research into GDPR could have prevented this.
Firstly, there's nothing this site does that is so unusual. If the user gives explicit and informed consent for their data to be used in this way, then you are likely to be covered.
Secondly, it's looking unlikely that the rules will be enforced that strictly in the near term, especially against a small, hobby website. IANAL but you likely have a couple of years until you have any chance of being on the ICO's radar (ICO is the UK's enforcer). And even then, you can reasonably expect the find to be << €4M.
Thirdly, if you run this site from a limited company (about £100/year to maintain), then the very worst case would be that you are investigated under the GDPR in the future, and you can fold the site then at which point your liability ends. No need to do it now, in fear of something that may never happen.
I hope it's not too late to change your mind about shutting down!
I am currently working in one of this multi-$bn companies. They run/are preparing GDPR.
So far I haven't found ANY person who has read the full 80 pages. Everyone is asking eveyrone else, they download whatever presentations they find on the internet, but NOT ONE have bothered reading the damn thing.
It will be a massacre for many companies, only because very few do their homework.
Having engineers read and interpret regulation personally is not a remotely sane legal risk management strategy. Read the thing on your own time if you're curious, but the engineering work should start with specialized outside counsel/consultants and percolate down to engineers as company policy via the CTO.
You're onto something, though: in a corporate environment, the word "compliance" is a magic spell that disables all critical thinking skills within earshot.
> You're onto something, though: in a corporate environment, the word "compliance" is a magic spell that disables all critical thinking skills within earshot.
Is that a bad thing? The vast majority of regulations exist because someone's "critical thinking" went too far in the name of profit.
Your mistake is assuming that the idea being sold internally under the heading "compliance" is required by, or even tangentially related to, an actual regulation.
I have a theory about this. It's a kind of intentional incompetence. You won't get praised in an organisation for implementing GDPR because it is seen as a cost. In some cases it is even restricting revenue (or at least making it more difficult). By only having a surface understanding of the issue, you can intentionally misunderstand it while later having a plausible excuse. When/if you have a big lawsuit directed at you, you can blame the summary websites, consultants, etc for being insufficient. Indeed, you can blame the GDPR for be "too complicated". "Even the experts got it wrong".
But if you read the law, claim to understand it and don't implement it properly, you are screwed. It's just another case where savy managers are avoiding personal risk at the expense of corporate risk.
the damn thing is more abstract than poetry. it s indicative that all these months, i have not seen a single article / presentation that provides a concrete example of how to shield a website.
The law is completely readable by non-lawyers, IMHO. It's one of the better written laws I've seen. But here's a website by the UK government that explains what all the terms mean and exactly what you have to do: https://ico.org.uk/for-organisations/guide-to-the-general-da...
There are 28 member states. Under some circumstances, a company headquartered in the EU can have the headquarters country's authority act as its "one stop shop." But it would be a mistake for a foreign website to rely on the opinions of 1/28th of the agencies that might prosecute it.
There is a missunderstanding on your part. The law is not what’s written but what the courts make out of it. Lawyers may have the experience to foretell that.
On the other hand I bet you have a better life with your belief until - if ever- you learn the difference the hard way.
Take the simple question: can you look at personal data on your monitor? What about Van Eck phreaking? Basically you are broadcasting the data. Do you need to protect against that?
The GDPR says that at the current state of technology it would take an undue effort to infringe someone's privacy in such a way, so the risk is unreasonable.
It's like worrying that someone will be struck by lightning because they're located on your property near an antenna you set up, and you'll be charged with murder because of that. Yes, it's possible, and about equally as likely.
It's worth noting, as well, that this part of the law hasn't changed at all. The changes to GDPR are about notification and a variety of rights. Protection for leaking data to unknown 3rd parties is exactly the same as it was.
I would estimate the frequency of the attack similar to Lightnings killing people. I’m quite sure it happens but only in very small scale because you have to get so close to the victim.
If the customer is choosing to display his data on his screen while under risk of Van Eck phreaking, it's on him.
If you choose to display customer data on your screen while raising funds for launching a new cryptocurrency in the Sultanate of Kinakuta from sketchy Chinese generals, it's on you.
If you're a big multinational, these uncertainties are a cost of doing business. You have a dedicated team of in-house attorneys and many other high priced lawyers on retainer. If the worst happens, you start private negotiations on settlements. When I worked for a firm owned by a very large multinational, our parent company basically had an IRS auditor with a dedicated office inside of the parent's headquarters. But you can absorb that cost across multiple entities.
Within society "in general" there are usually other forms for quantifying, and spreading, the cost of uncertainty among larger groups. We usually call those markets "insurance." Car insurance, life insurance, health insurance, disability insurance, homeowners insurance, landlord insurance... all of it exists to "cope" with uncertainty.
If you're running a small operation that's hovering at or below breakeven, it's reasonable to look at the existing uncertainty surrounding GDPR and find that the only winning move is to not play.
I'm not a FUD guy; I'm a numbers guy. Uncertainty is real and entire markets exist to deal with them. Where there are _not_ markets that allow you to quantify uncertainty, it is reasonable to look at the potential downside and say, "that's not worth the risk."
I'd be very hard pressed to run a business that catered to the EU at this point until the first N lawsuits happen. There's a reason why in the US people prefer to incorporate in Delaware: it's not because it's the most business friendly state, it's because there is so little uncertainty in case law.
I am making no claims as to whether GDPR is a good thing or a bad thing. Simply that it's an unknown thing. And unless you have the pockets to play in unchartered legal territory, it is perfectly reasonable to shake one's head and walk away.
Unfortunately for you, the ICO was directly asked about this and responded that they do not envision a grace period
> Steve Wood, ICO Deputy Commissioner: Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy.
Except the lazy morons running the privacy orgs couldn't be arsed to give us final guidance until, well, mid April.
And that definitely includes the ICO. I mean, I understand it's a lot to expect to have final guidance on running a balancing test more than a month before the deadline, but I guess grace periods are just for the regulators.
Have you ever tried a touchscreen computer?
Was it better than when you use a mouse?
Why?
Which interface do you prefer - your computer or your phone?
Why?
Show me how you would go to www.altavista.com on your PDA.
It looked like it was hard to find the browser - is it often hard to find the right application on your PDA?
When you bought this PDA, were there cheaper PDAs you could have bought?
How much more did you spend on this PDA because it was better?
Do you have lots of VHS videos at home?
When did you last watch one?
Do you have a lot of DVDs?
How are they stored?
Is it a problem that you have them? Would you rather not have to store them, and why?
Have you ever watched a YouTube video?
Is it easier to find something on YouTube or to watch a DVD?
"I’ve rarely encountered discussions of contagion."
This surprised me: contagion is a good metaphor because it is a compounding measure of the growth of the problem. Just like an interest rate (a compounding measure of the growth of debt).
Most senior developers I've met have considered the interest rate of the debt, which seems like it has been renamed here as contagion. Maybe I've been lucky to just know smart people!
From the point of view of explaining these concepts, I'd suggest keeping the metaphors consistent. Tech debt should have an amount owed and an interest rate, tech infection (?) should have a potency and a contagion level.
I'm working on a product like this at the moment to solve exactly those problems. On Twitter @h_carver if you want to chat more! Or if you want to wait 6 months and find out why I shouldn't have been pursuing it ;)
Depends whether you want to teach code or computer science (and code).
I wrote a book to teach 7-11 year olds to code in Python and Scratch and teach them some computer science along the way - I read a few other books out there first, and there's a lot of "just copy out this code and things will happen", which is exactly what I tried to avoid in this book.
My son is 8 and started using Scratch at school. He had me install it on my macbook and he created a simple side-scroll game and a program to play the Jingle Bells chorus.
I was impressed with how quickly he went from "just tried this at school" to "leave me alone, Dad, I know what I'm doing here".
You don't have to install Scratch! The old version required you to install it, but these days you just need to use the browser version. https://scratch.mit.edu/
Hywel, I notice the blurb says "in line with the new National Curriculum" is that a USA-wide curriculum or is it in another country. I've got kids in that age range in the UK and they don't do any such computing/coding [at school!].
Yeah, the UK National Curriculum says children need to learn a visual language (like Scratch) and then a text based one (like Python). Your kids should be doing visual coding in school from Key Stage 2.
In case anyone else was wondering, "Key Stage 2 is the legal term for the four years of schooling in maintained schools in England and Wales normally known as Year 3, Year 4, Year 5 and Year 6, when the pupils are aged between 7 and 11."
Hey, you should try this book which Scholastic published www.goodreads.com/book/show/28232614-coding-unlocked#other_reviews
It's available as an ebook as well as in paper. Short pitch: don't just learn to code by typing out existing code, learn how to think algorithmically and write your own code instead. Learn Scratch and Python side by side, seeing the same Computer Science concept in one and then the other. As well as the reviews, I've heard great anecdotal feedback.
Full disclosure: I wrote it. If I could get you a discount, I would, but I don't have that kind of sway with the publisher.
This looks like the same article: https://dev.to/martinheinz/ultimate-guide-to-python-debuggin...