Focus on Apple
Re: And here's some more negative Apple news Aug 06 2008 03:10AM
David Fedoruk (david fedoruk gmail com) (1 replies)
Re: And here's some more negative Apple news Aug 06 2008 05:31PM
Dave Mangot (dmangot terracottatech com)
David Fedoruk wrote:
> You are right about the disconnect between marketing and engineering,
> but the disconnect goes further than that. Most of the upper layer of
> management these days does not understand the technology.

Besides the most basic understanding, they don't need to

> Is this disconnect not a security issue in itself which should be
> addressed? We tend to focus on technical solutions to security
> problems but often the problems are not technical, the critical week
> spot are the human beings in the system.

They we need to put more effort into designing better systems. OpenBSD
has 4 different kinds of stack protection to protect against buffer
overflows. I think that is a much better solution than trying to teach
my end users which binaries are OK to run and which are not. Is the
system perfect yet? No, of course not, but that's our problem, not
someone elses. The Secret Service doesn't rely on amateurs knowing when
to do the right thing in order to protect the President and they have a
pretty hard security problem to tackle.

> How do we begin to address these interpersonal issues in a positive
> way? How do we get those human resource and marketing types to not
> view the technology as a kind of magic?

We don't. It's not their job to understand the technology. It's their
job to know how to file an H1-B visa form properly. They shouldn't have
to learn not to click on the Nigerian $1,000,000 email any more than you
should learn the rules and regulations of getting a NAFTA visa vs. a
H1-B. Don't deliver the Nigerian email. Stop trying to make other
people responsible for your job.

> problem. Our systems are only as secure as the users who operate them.

No. Our systems are only as secure as the operators allow them to be.
It's your job to ensure the safety of the company. It's your job to
block malware at the firewall. It's your job to run Snort to detect
when someone is infected and then shut down their network port. It's
your job to install anti-virus until someone comes up with a better
solution. It's your job to explain to the CEO in baby talk and small
words (backed up by a cost/benefit spreadsheet) why you want to put
Orbicule Undercover on the sales guys laptops.

It's not the marketing and HR folk's job to learn about security.
Hopefully they have enough to do and if you are actually relying on them
to make the right choice when push comes to shove, then there is your
"critical week(sic) spot", you and your expectations. To quote Men in
Black (badly), "A person is smart. People are dumb, panicky dangerous
animals and you know it". You may teach 20 HR folks the right thing to
do, but there is always going to be lucky number 21 who is going to make
the wrong choice, you can count on it. Expect nothing less.


Dave Mangot
Terracotta Inc.
650 Townsend St. Suite 325
San Francisco, CA 94103 USA
+1 415 738 4059
dmangot (at) terracottatech (dot) com [email concealed]

This e-mail incorporates Terracotta's confidentiality policy, which is
online at

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus