Hacker News new | past | comments | ask | show | jobs | submit login

> It's like, if you were walking away from your car in a parking lot, and someone said "Hey! You've left your car unlocked!", and you yelled at them angrily "Stop looking at my car!!!".

Its probably more like some rando yelling out from where he's loitering by the cart return "hey, your binzinger's habroodled! Your car might cause and accident when it snerts!". What does he want? Is it a scam? Are those really parts of a car? He doesn't even know you, what's his angle? -- What do you do? Look down and keep walking, that's what. It almost seems reasonable.




The key phrases are recognisable though. It's not "bizinger" and "habroodled" and "snerts" - it's "vulnerable", and "security issue", and "data protection", and "safety". These aren't alien or strange terms, they're simply words you don't want to hear about your product.

When a manufacturer issues a safety recall, you don't need to understand things like the necessary gap between mains voltage and 12V in a transformer, or the biological reaction of a high levels of insecticide in an egg, you simply need to recognise a safety warning from an industry professional.

The issue in these cases isn't that the people in charge don't recognise technical terms, it's that they wilfully ignore the voices of caution, warning them about safety issues. In many industries, that lands them in court.


I think you might be vastly overestimating the technical competence of a lot of people in non-tech management. In my experience, a lot of people really do believe those nonsense phrases we hear in response to a disclosure - "our system has been audited, so we know it's secure", "we use military-grade password encryption" etc. To the average user, this stuff is basically voodoo.

Imagine that you got a letter from a stranger, telling you that the locks on your upstairs windows didn't work properly. How confident are you that you'd take it as a helpful suggestion, rather than being completely creeped out by this menacing weirdo?

I think that negative responses to disclosure are generally grounded in a mixture of fear, mistrust, misunderstanding and arse-covering. Someone who discovers a vulnerability is seen as inherently untrustworthy, because why else would they be snooping about and trying out the locks? We think of computer systems as inherently insecure until proven otherwise, but they see their systems as fundamentally secure until someone comes along and breaks it. If you're fearful of technology, it's easy to hear "excuse me, I think your system is vulnerable" as "nice system you have here, it'd be a shame if someone broke into it". Denials and cover-ups are often the default corporate response, because being the bearer of bad news can be a career-limiting move in many organisations.


> We think of computer systems as inherently insecure until proven otherwise, but they see their system as fundamentally secure until someone comes along and breaks it.

Hmm, I think you're onto something. Maybe they just don't get that the vulnerabilities are already there, waiting to be exploited -- they think that the person they've heard from actually broke something that will now make it possible for others to get in. I guess if you don't know what's going on, that's as reasonable a theory as any.


> We think of computer systems as inherently insecure until proven otherwise, but they see their systems as fundamentally secure until someone comes along and breaks it.

Another way of saying essentially the same thing: both parties believe that "extraordinary claims require extraordinary evidence." However, for us, the extraordinary claim is that software is secure; whereas, for them, the extraordinary claim is that the software for which they have paid so much money can somehow be insecure.


> Imagine that you got a letter from a stranger, telling you that the locks on your upstairs windows didn't work properly. How confident are you that you'd take it as a helpful suggestion, rather than being completely creeped out by this menacing weirdo?

If I were really creeped out, I'd be even more likely to spend effort making sure the locks on my windows are secure, as now I know there's a menacing weirdo looking at them, so I'd want to be extra sure he couldn't get it.


I know there's a menacing weirdo looking at them, so I'd want to be extra sure he couldn't get it.

Now, imagine that the menacing weirdo had included a return address on his letter. Would you report him to the police? If he got locked up, then that would be one way to make extra sure he couldn't get in.

And then the problem is solved, do you don't even need to fix the locks...


This is where the analogy breaks down; if my metaphorical windows were on the open internet, I wouldn't feel at all secure after locking up one single weirdo.


Why would you feel insecure if that were the case? Is it because of your technical understanding? People who lack it wouldn't feel that way.


> Why would you feel insecure if that were the case?

Because there are multiple weirdos/criminals in the world, and protecting my stuff is worth it to me.


every drupal site you've ever administered is insecure because of the new triple-axel md5 unlink()-based heap overflow i've discovered.

so just send the money.


If your site collects and stores private information, someone working for you needs to know enough about security to sort the crazies from the real security researchers.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: