Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment management isn't reading this thread (Score 1) 227

Perhaps they should do this and that. They aren't reading this thread, so talking about what they should do is not helpful.
What can we nerds do to help the situation? If speaking in terms of business risks solves the problem ...

You see relevant news stories on CNN / MSNBC / Fox. How hard is it, really, to send your boss the link with a note saying "I noticed we're vulnerable to this. I'd like to discuss securing our systems from this type of problem"?

Comment We logged over 10,000 attacks last month. Data. (Score 1) 227

I don't know about you, but I HAVE hard data to base my estimates on. If you don't, a professional opinion giving a rough estimate isn't "made of whole cloth". If you're making recommendations, you should be able to say with some confidence that an SQL injection attack on a public web server is at least 100X more LIKELY than having your WAP cracked. Management may not know that, but somebody in IT should know it and be able to communicate it to management.

Comment based on professional knowledge or desired outco (Score 2) 227

If you are asking for resources to be spent to avoid a particular risk, you either have the professional knowledge to discuss the level of risk, or you're talking out your ass.

How can you get that knowledge? We logged just over 10,000 brute-force attacks last year on the x,000 sites we monitor. I can query those logs to provide various numbers. So logging is one way. The major security lists get several reports per day. MMonitoring those lists will help you understand the threats - how common they are, how costly they are, and how to mitigate the risk. Sometimes engineers focus on mitigation, but knowing how to mitigate risk is pointless until you know which risks you should be focused on.

Suppose you don't have time to learn about all that. You probably don't have time to learn about a lot of things, so you listen to some experts. Bruce Scheiner or myself might post something you'll want to read and feel you can trust. If we security professionals do our jobs right, we'll include some risk assessment data. You can always ask us questions. Every three years, you might call one of us in to look at your systems and provide some specific recommendations, along with information about WHY we recommend those things.

Comment what does blame buy you? (Score 1) 227

> If the boss doesn't understand still doesn't ask why you think something is important then
> he is just as much to blame for the communication failure

That's true for ANY communication failure. What does blame get you?

If I'd like to get something done, I can either communicate it in a way that gets it done, or not.
It does me no good to go about it such that it fails and I can blame the other guy.
Blame and $2 will buy a cup of coffee ($8 in California).

Comment "6% of $1M loss = $60K, can be avoid for $4K" (Score 5, Insightful) 227

To take that a step further, it would be interesting to see what happened if those complaining of poor communication emailed their boss saying:

You may have seen the Forbes and WSJ articles related to the security breach at XYX Corp.
We are currently at risk for the same type of issue. I estimate a 6% chance of a breach in the next three years which would cost the company around $1 million,
so we have an actuarial liability of $60,000. If we secure the system, I estimate the risk would be reduced to 3%, eliminating $30,000 of the liability. I estimate the cost as $4,000 to eliminate that $30,000 liability and much of the $1M risk.

That you you are presenting management with this decision "do we want to save $30,000 by spending $4,000?" That's not too technical, that's exactly
the decisions they are trained to make.

Looking at it that way can also teach we engineers something. We might estimate the cost of a breach at $30,000 with a 1% chance of it happening. That's a $300 liability. If it would require 10 man-hours to fix, including meetings and stuff, the company would lose a lot of money trying to fix it. (Remember people cost approximately double their salary, once you pay for health insurance, taxes, their office space, etc.) Management would be "right" to simply accept the risk, knowing that bad might happen, at a cost of $30K. Better to risk a $30,000 problem that probably won't happen than to spend $2,000 avoid it. (Best would be to make a note to fix it in the next version / rewrite, when the _extra_ cost is only 1 man-hour.)

Comment almost all said "too technical". Wrong words, then (Score 3, Insightful) 227

6x% said there was a communication problem. 61%, or almost all with a problem, said it was too technical for management to understand.

One commenter talked about trying to explain escalation attacks and ssl issues to the boss. Yeah, my boss wouldn't understand that either. He does understand BUSINESS RISKS. If I point to a WSJ or Forbes article about a company that got owned and say "we are vulnerable to the same thing" he'll understand that. He doesn't understand SSL ciphers, he's not supposed to. He does understand "PR nightmare" and "noncompliance".

If I want business managers to do something, should I maybe explain the business case for what I'm proposing? Maybe point to a line in the WSJ article that says "the attack is estimated to have cost the company $2.4 million so far. No word yet on when their services will be back online". Perhaps that's what management understands better than the technical details?

Comment something done != military action (Score 2) 234

It's possible that many people "want something done" while realizing that the military strikes proposed by Obama aren't the right something, or that there is no effective "something" to do. I would have been in the majority in that poll, counted as "opposed". I DO want somebody smart to come up with some effective action. I do want something done, and understand there's nothing we CAN do that will help.

Of course "most Americans" are probably busy watching Honey Boo Boo and have no idea who "Assad" is.

Comment no, they have a duty to not screw shareholders (Score 1) 201

Fiduciary duty means the officers have a duty to not place their personal interests above those of the shareholders. For example, they can't take corporate money (shareholder money) and put it in their own pocket.

To understand fiduciary duty, think about housesitting. A house sitter has a fiduciary duty to take care of the home as the homeowner would, not throw a wild party that wrecks the house.

So the question for the executives is "what would the shareholders do?" Many corporations have charters explicitly laying out things like environmental protection etc.

Comment Not what I meant at all. Anonymous changes me (Score 1) 169

"And also the way you mean it, in that you expect some kind of return for the investment of your generosity."

That's not what _I_ meant at all. While it does make sense to be friendly with our friends, when I said spending foolishly I meant things like cars.
I can buy a lot of meals for people who need it with the money I could otherwise spend on a flashier car. The flashy car losses it's shine quickly.
On another level, I take my lunch to work, rather than eating out. 270 lunches X $5 = $1,350 every year, multiply by me and my wife, that's $2,700.
Over ten years, $27,000 from lunch. Instead, I could buy someone their first starter car every year and still come out $700 ahead, just by taking
lunch with me.

Really, ANONYMOUS giving does something to me that I don't get any other way. I'd like to do that more anonymous giving.
I can't quite explain it, but I think the effect is has on me likely makes more a more successful person, certainly a happier person.

I mentioned foolish giving. By that I do not meaning giving where I'll get nothing in return. I always get something in return because
it does something to my psyche / spirit / brain that's good. I mean that just as it's foolish to rent furniture from RAC, it's foolish to
"give" by bailing that same person out of jail AGAIN, or bailing them out of whatever situation they habitually put themselves in.
Just as the rented furniture ends up going back to the store, my brother ends up going back to the jail. Much better use that money
on someone whose actions show they intend to never go back to jail again.

Giving very publicly is fun, the recognition strokes the ego. Giving anonymously WITHOUT the ego boost, remaining humble, has longer
lasting benefits. I'm reminded that I'm actually the steward of what I have. It's been trusted to me because I've made wise decisions,
worked hard, etc., so it would be irresponsible of me to hand it out to drunks who will waste it, but ultimately it's not really mine. It was
created by the creator, and when I put it use with that in mind I become closer to what I'm made to be.

* I am no saint. I give far less than I "should", far less than many people do. I'm merely speaking of what happens _when_ I give in different ways.

Comment this. employees prefer bonuses to unexpected cuts (Score 1) 169

I do bonuses when the company can afford it for just that reason. Employees want a stable, guaranteed pay check. If they didn't, they'd be entrepreneurs. It would be cruel to give them a raise and have to take it be back six months later. Most would much rather have stable pay that won't be cut plus a bonus once a year than have their pay go up and down every month depending on company financials.

Comment I beg to differ. Most of my money is from being (Score 2, Insightful) 169

There are a few really good reasons not to do business with me, but I've always had as many clients as I can handle. Most of my money (over a million dollars) has come from people who choose to do business with me BECAUSE of what kind of person I am.

When they see me being generous with my time and money, they know I'm the type of person they want to do a deal with.

Secondly, without a generous and grateful spirit, you can have $200 million and not be nearly as rich as someone with a spirit of gratitude and generosity who earns 1/10th as much.

Sure, it's POSSIBLE to get a lot of money by being obsessed with money. Some people do that. It's EASIER to get rich by being of service, solving people's problems. Who would you rather buy from, someone who is obsessed with getting your money, or the other guy who is trying to help you solve your problem? If you were really good at what you do, which of those people would you choose to work for?

You don't get rich spending money FOOLISHLY. Every rich person I know is generous, applying the same wisdom to their giving that they apply to their business. (Disclaimer - generous people are over represented in the list of people I know because I don't hang out with, or do business with, scumbags.)

Comment They are warrantless- DEA agents subpoena AT&T (Score 1) 141

From the article:

"It is queried for phone numbers of interest mainly using what are called “administrative subpoenas,” those issued not by a grand jury or a judge but by a federal agency, in this case the D.E.A."

So the DEA agents themselves decide to have AT&T pull your phone records.

Comment sounds pretty tough (Score 1) 459

That sounds like it's pretty darn challenging. I feel for you.

You have a list of things you can't do. It would be nice to see a list of what you're good at, but whatever. It seems pretty obvious that someone who is deaf isn't going to be a composer or a talk show host. Other things are better suited to their abilities. Beethoven went right ahead and became one of the best composers who ever lived. He couldn't hear the music he was composing, but he went right ahead and did it anyway. The most successful talk radio host in America is 90% deaf. He just keeps on using his talent for being obnoxious on the air anyway.

Ask Temple Granden about disabilities and bigotry.
If you haven't seen the biopic about her, please do.
She, like you, had some really good, perfectly valid excuses. The thing about valid excuses is that they're still excuses, not solutions.

Slashdot Top Deals

You can tell the ideals of a nation by its advertisements. -- Norman Douglas