You don't understand my point, though. Here it is: blame for these breaches is useless and misapplied. I'm not saying "blame the attacker" - I mean, ransomware is nothing more than opportunistic capitalism.

This is a dangerous path to think down, and I don't know many people who think this way to be honest. I was more railing against a different argument, you're right.

The reason it's dangerous is the same as if someone shot someone in the face, and you don't blame them for shooting them in the face. Well if it's not their fault, then why arrest them? They are just the product of a system of <insert_system_here>. Arresting someone is blaming someone, and saying we shouldn't arrest people for leaking and damaging people's lives is... strange, and I haven't heard that one before.

In effect, you're arguing that if you don't want the Spanish Inquisition to destroy your town, you'd best either become a Cardinal or pay for the care and feeding of one. You're basically saying that only by being vigilant and ever ready to do battle can one defeat the hun. But I don't want to defeat the hun. I just wanna run my little blacksmith shop.

To go back to analogies (it seems to be all I can do!), this to me is the same as a rollercoaster maintenance repair man. You have a responsibility to do a good job, otherwise people die. In the tech scenario, you are responsible for keeping the data people provide to you secure, otherwise they get their identities stolen and get their lives ruined.

This started as me saying there are very legitimate reasons to fear ransomware.

THIS is where we were in contention, and I think it's a simple miscommunication. Obviously ransomware is to be feared! What I was saying was in response to this part of the text body posted by dubski:

Working in healthcare... this is the scariest scenario. This and ransomware attacks.

In healthcare, ransomware attacks shouldn't be an issue whatsoever. I've only tangentially worked with HIPAA, but with how detailed it is I'm sure there are data retention and offsite backup requirements in the law itself, so if you don't have them, you're most likely violating the law.

I wasn't thinking from an end-user, you should be afraid of ransomware for sure as am I.

It's become a rant against the entire IT industry. I'm not walking any of it back because I'm sick of this: When those of us out in the world ask "what are we supposed to do?" the IT answer is invariably

A) Pay us extortive prices so that we can condescend to you

B) Devote your life to our credo so that we can condescend to you for not being 1337 enough

And that's why you can sit there and snigger in superiority while watching The IT Crowd while the rest of us laugh and point.

I'm not really sure where I said any of this, condescended or anything. All I see here is you lumping an entire industry together as if it were one giant whole. It's not that simple, there are warring factions within IT. There are business people who give no shit about end users. There are elitists like you describe. Then there are people like me who are constantly arguing in favor of UX design, usability concerns, making sure the end-user doesn't get confused, etc.

My side is losing, hard. And nobody cares because our stuff doesn't make money and people only care if things work or not.

Because in my organization, I'm you and I'm no fucking good at it and when I want to solve that problem, your entire industry conspires to make me feel bad about it.

I don't know what type of employee you are since I haven't worked with you, but I categorize people into four groups:

1) People who know their shit.

2) People who know their shit and don't care.

3) People who don't know their shit and are willing to learn.

4) People who don't know their shit are are unwilling to learn.

1s can be dicks, you are right.

2s are what I was arguing against in this thread.

3s are not a problem, and it sounds like this is you. I have turned many 3s into 1s with a few months of experience, teaching, and priming with proper ways to find, locate, and read through reference documents. Generally this also involves identifying useless buzzwords.

4s are a bane on the industry, and cause more security problems and are generally just assholes who sit around collecting paychecks and kiss up to their bosses' asses until they get promoted, continue to get promoted, and eventually become CTO. And thus, the problem of businesspeople not giving a shit about end-users compounds, because they are only focused on the dollar value and don't have any idea how to read email.

I think we are basically making the same points, but somehow you have painted me into this prick who doesn't give a shit, and I think it all comes down to that simple miscommunication on what I meant by ransomware. I've seen cases of ransomware hitting organizations, and it's always becomes 2s and 4s fucked everything up. Not 1s, not 3s.

And Sony store passwords in plaintext.

And we're discussing a leak of 9.3m patient records.

And I have three overlapping credit protection services because Target, Home Depot and Bank of America failed to protect their data.

You seem to be making my argument for me. Sony will continue to store passwords in plaintext. Why? Because they have data breach insurance and they don't give a shit about your data. Those are exactly my points. I'm not saying go down and find the exact technician responsible for firing him. In fact, I explicitly stated that's not what I meant. I'm saying hold the organization accountable for their mistakes, you seem to be saying hold the organization accountable for their mistakes, why are we arguing?