It is perfectly possible given infinite resources to fully protect a website from attack. But therein lies the rub. Nobody has infinite resources. Also, a lack of security understanding and awareness are reasons why websites can be attacked.
The question has conflated the questions "Can a website be attacked" with "Should they be attacked"
"There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult." - C.A.R. Hoare
Anything can be Attacked, it whether they have the defences to avoid, mitigate and/or prevent breaches of the attack.
If take a physical castle example to help me think this through.
With enough resources you can build a really high walls.
But you need infinitly more to observe your attacks to know if you need to build higher.
Observable Problem - we know how short are walls are.
Contrast with DDOS - we know we can mitigate/hold off against 1000 hits per second, and know we can do above this. We will take the risk that attackers currently cannot do 1000 hits per second, or build a ladder above 100 meters.
But we need to allow some people in. Okay.
Castle - attacker can see who you let in. That leaks their information however relevant that might be and classification issue of what personal data is.
Beyond the wall. keep the gold in a chest.
If they breach the wall, they can steal the chest, but without the key no luck getting inside.
Unless chest made of wood, in which a brute force attack of dynamite might crack it open. But then that could damage the goods inside. So maybe a million small hammers, takes longer time, but this is brute force still.
Usage stats are commercially traded, legally, by various corporations.
Real-time location data is commercially traded, legally, by various corporations.
CC information is routinely stolen, but I'm insured against fraud, so in the end that doesn't matter.
Age, name, sex, and contact information is trivial to gather.
The only reason hackers are an issue, is because corporations screw their users with terrible support when something goes wrong.
Most hackers gain access to the server/network via back channels and not directly through the site. Not to say that a website should not be secure, but the "website" is not the main target, the database is.
Keeping data secure is a matter of encryption (website or not) and proper login handling. because they will hack your server and they will get your data. if the data is encrypted properly, then you have protected yourself there.
I totally agree with this. I found the question a little confusing, especially given the exactitude of the audience here. But also, as long as you're talking about DIRECT hacking, and not social engineering hacking, I think our systems are - in general - pretty good.
The problem, the weakest link, is definitely the users.
I see two different ways of answering this. I do think it should be actually possible to 100% protect data, but... there is actually no 100% security.
When the technology is good enough, then the programmer might be the one building the security hole (just have a look to Q&A)
And when the programmer is good enough, there can still be a bug in the technology used, that will allow to get data compromised.
That's why I have answered (being very optimistic): Sites can protect our data from most, but not all hackers
But I actually think that: Probably not. Most sites are unable to protect our data
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
The problem is in the way they asked the question. The sub-question, above, "Do you trust your compatriots to get it right?" has a different answer than the first, "As a developer, do you think that websites are actually able to protect your personal data from hackers?" Hence my answer was the same as yours: "Sites can protect our data from most, but not all hackers". But will they? Probably not.
I agree that it’s possible but probably not being accomplished but I don’t primarily blame my compatriots (fellow programmers). The owners/managers/CIOs/bosses need to make data security a priority, insist on it and put up the money to pay for it. Perhaps GDPR will help by making it more expensive to fail to secure data than to do it right the first time.
The problem is that the answers are in two different forms:
Yes - there's no reason sites can't completely protect our personal data
Sites can protect our personal data from all but the most advanced (eg State sponsored) hackers
Sites can protect our data from most, but not all hackers
No they can't. It's simply not possible
"Can it be done?" questions.
I'm not sure
Let's ignore this for a moment.
Probably not. Most sites are unable to protect our data
Almost no site has the ability to actually protect our personal data from hackers
"Is it done?" questions.
The first set asks if it is actually possible - and it is, at least up to the "state sponsored" level.
But the last set is asking about the current state of site security, and that's "missing, presumed dead" judging from both the news, and the level of queries we get in QA.
Until teachers understand - and stress - security, they won't teach it. And until they are taught, the next generation of "developers" won't know any better and will continue to store passwords in plain text, on sites that are vulnerable to SQL Injection, and use Base64 as a serious secure encryption system ... just like most sites out there seem to.
Sent from my Amstrad PC 1640
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
AntiTwitter: @DalekDave is now a follower!