Archive for April, 2007

Quote of the week: April 30th, 2007

Monday, April 30th, 2007

The harsh reality of IT Project life cycle.

Phase 1: Uncritical acceptance.
Phase 2: Wild enthusiasm.
Phase 3: Dejected disillusionment.
Phase 4: Total confusion.
Phase 5: Search for the guilty.
Phase 6: Punishment of the innocent.
Phase 7: Promotion of nonparticipants.

Quote of the week: April 23rd, 2007

Monday, April 23rd, 2007

They say one of a baby’s first non-verbal forms communication is pointing. Clicking must be somewhere just after that.

Quote of the week: April 16th, 2007

Monday, April 16th, 2007

Computer experience explained…

Novice Users: people who are afraid that simply pressing a key might break their computer.

Intermediate Users: people who don’t know how to fix their computer after they’ve just pressed a key that broke it.

Expert Users: people who break other people’s computers.

Quote of the week: April 9th, 2007

Monday, April 9th, 2007

“The day after tomorrow is the third day of the rest of your life.” – George Carlin

Focusing on the real issues of vulnerability reporting

Thursday, April 5th, 2007

A lot of focus and time goes into how to report a flaw anonymously. But this is curing the symptom. The disease is the fact that you get to be a suspect if you report a bug – and might even be incriminated by it.

Many years ago some wise men in the air-traffic industry realized this. Often planes got into dangerous situations, but due to the risk of getting accused of being the wrongdoers and the risk of losing their jobs, no pilots would report these situations. The result was that the security of air-traffic was not improved. Sometimes these incidents caused people to get killed.

So they changed the rules. Today pilots can report all dangerous situations, without blame, even if they themselves caused the situation. Airports have such a briefing room where these reports are collected.

The reason for this is that human error in air traffic does happen. But by getting a clear picture of the situations you may be able to focus on helping them out. If pilots miss a sign on the runways, focus should not be on the pilot, but on the visibility of the sign. It doesn’t really matter if you say: Pilots should look out for signs or they should get fired. Next time an unlucky pilot misses the sign… bang.

Something similar could be done with IT security. Reporting a bug if you encounter it should be with the focus on fixing the bug. Not to blame the one who found it.

Remember the focus in this case is the flaw or bug, not the one who finds it. Unfortunately the case appears to be focusing on the man rather than the real issue. We do this in our daily life. It’s a part of human nature. But the bug never gets fixed… and then the really bad guy comes…

Quote of the week: April 2nd, 2007

Monday, April 2nd, 2007

“Great minds discuss ideas. Average minds discuss events. Small minds discuss people.” – Unknown