Profile picture
Perry E. Metzger
@perrymetzger
, 9 tweets, 2 min read Read on Twitter
Many people assume "this was done by a large company/this product was bought by many large companies/this security product was audited by a big accounting firm; so we can trust it!"

The Swiss voting system fiasco reminds us: that assumption is wrong. 1/
There's a widespread bias in this direction. I heard a colleague recently say, about a product I discovered was so architecturally flawed it cannot be remediated, "but so many big companies have bought this, it can't be that bad?" But it can. 2/
We know that big organizations, even major governments, screw up on computer security so often that they wind up in the newspapers week after week. The assumption that big organizations can't possibly be incompetent at security is constantly disproven by the real world. 3/
Note I'm not claiming all large organizations have screwed up their security, just that being a large and famous organization tells us little about whether or not security at that organization is well run. The assumption that famous, large, and old means competent is wrong. 4/
So the next time you hear a salesman explaining that this product is used by many giant firms so it must be good, or the next time you hear a colleague saying a product can't possibly be bad, it is so widely used, remember that's a fallacy. 5/
When someone tells you "this is the industry standard way of doing this, all the big companies do it this way", that doesn't mean it's even remotely acceptable from a security perspective. If that were a reasonable argument, big companies wouldn't be in trouble constantly. 6/
And do not believe that because some large and famous accounting or management consulting firm has audited a product or process that it is any good at all. Those firms have failed to find problems so frequently that their reports tell you very little. 7/
Doing security well is hard. You can't fall back on the usual corporate strategy of trust in authority. The only way to make sure something is good is to look at it carefully and check. If it's too complicated to understand, then replace it with something that isn't. 8/
And just because your marketing people insist something must be possible doesn't mean they can countermand computer science at will. If they insist that you sign off on something impossible, get your resume together quickly, before they drag you in to a career ruining event. 9/9
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Perry E. Metzger
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @perrymetzger see all

Profile picture
Perry E. Metzger
@perrymetzger
@danwallach @AlecMuffett The problem is that people communicating is a normal part of living, not a disease. Social media provides supernormal stimuli (google for the term if you don't know it) and that exaggerates normal behavior, but fundamentally the problem is people.
@danwallach @AlecMuffett People have been engaging in things like mob violence and tribalism for as long as there have been records. Read up some time on the Nika Riots in ancient Constantinople if you want to see how little really changes with time.
@danwallach @AlecMuffett And much of what Facebook and the rest are expected to censor are extremely durable human interests like sexuality; as long as we expect that there will miraculously be no nipples visible, someone has to battle all the people who want to see nipples.
Read 8 tweets
Profile picture
Perry E. Metzger
@perrymetzger
This is a must read. Facebook is expected by the general public and regulators to do a perfect job of simultaneously censoring posts and protecting free speech. This is of course impossible. The impossible task falls on human beings, as described: 1/

theverge.com/2019/2/25/1822…
Read the whole thing, the best isn't at the front. Everything from people trying to parse erotic choking images to people terrified that their former co-workers might kill them. All the consequences of humans being asked to do a job perfectly that is literally impossible. 2/
This is the consequence both of demanding censorship and then paradoxically demanding that censors never block anything by mistake. It leads one to question whether the central problem isn't with Facebook's attempts at censorship but with the demands made. 3/
Read 8 tweets
Profile picture
Perry E. Metzger
@perrymetzger
@StephenPiment I don't think "Worse is Better" really explains it. The LispM builders made a number of serious mistakes. For example, the IBM 801 papers had already been published at the point where they were designing the CADR but they didn't pay attention to them, and continued not to.
@StephenPiment (They presumed that microcoded architectures with complicated instructions were better, and never tried measuring to prove what was in fact a hypothesis. The hypothesis was, of course, desperately wrong.)
@StephenPiment They also presumed that portability wasn't really important, that tying software hand and foot to a particular CPU architecture was fine. That I can blame them for less; the first really portable OS (Unix) already existed but wasn't widely understood yet.
Read 11 tweets

Related threads

Profile picture
JJ
@Jonejam222
Truth Time: 1) CBS is Gaslight Central - So I USED to love watching a few Television shows. NCIS, NCIS New Orleans & LA, Bluebloods, Bull and a few others.

They tried to stay edgy, I get that. But they have been gaslighting viewers for a long time. Lets just look at the last
2) week.

NCIS 11/13 - Activist against corporations = hero

LA 11/11 - veteran snaps and kills drug dealing kingpins

New Orleans - activist group (libturds) kick out nutcase who uses bombs to kill corporate elites = hero group

Bull 11/12 - man pleads guilty to assault ...
3) but is only doing so because he cant afford bail, later tried by corrupt prosecutor for homicide after assault victim dies. Man is acquitted after prosecutor put on trial. Man = hero.

4) FBI 11/13 - veteran snaps &helps armed robbers hit armored cars. PTSD and Vets = villains
Read 7 tweets
Profile picture
Chad Loder ❇️
@chadloder
This is the best thing on Twitter this morning. I see too many security products trying to *replace* human-to-human interaction - there’s a good chunk of security and privacy that’s about *people*.

Let’s make more products which help people STOP, collaborate, and listen 😝
Forgetting about the “people” part of security is why we’ve heard “GRC is dead” for the last 10 years. We’re on “GRC 4.0” now and it *still* sucks.

GRC tools like Archer are designed for Process and Technology but forget about the poor People who have to use that dumpster fire.
We still have new vendors trying to design single-pane-of-glass “CISO dashboards”, meanwhile *very* few security companies are truly focused on people (not just security people) inside of organizations.

@duosec is one of the few companies who has focused on people. @habitu8 too
Read 10 tweets
Profile picture
Chad Loder
@chadloder
We have a huge credibility problem in information security and it's time we addressed it. We #infosec experts spend too much time asking "How do we get users to care more about security?" - and not enough time asking "How do we get security to care more about users?"
We give security advice without considering the impact to users in terms of cost, time, complexity, and risk of harm. A perfect example is "Turn on #2FA everywhere". It's #2factortuesday, right? I'm a fan. We spend endless hours debating whether SMS-based 2FA should ever be used.
Meanwhile we've spent ZERO time educating users on the risks of harm with #2FA. Namely, the risk that they could lose access to their account. The recovery procedures for 2FA-protected accounts are nearly impossible for average users. How honest are we about this with users?
Read 8 tweets
Profile picture
Jensen Harris
@jensenharris
Many people working at startups change jobs frequently, while employees of big companies may toil in the same place for decades. 😢

If you work at a megacorp today, how do you know if you’re ready to make the big leap to the startup world?

Here are 5 questions to ask yourself:
1) Are you capable of working in an unstructured environment?

Here’s the thing, even in well-run startups, there’s nothing like the command structure, hierarchy, and clear roles of a huge megacorp.

Big companies thrive on deep layers of people and titles and information.
Startups require you to make progress despite ambiguity. Often times deep ambiguity.

Features aren’t in planning for months. There’s no internal handbook describing exactly how your role works. Every “first” has to be invented.

You kind of have to figure it out on your own.
Read 22 tweets
Profile picture
Schmancy
@EnnnDeee
Do not give up on a relationship unless you have exhausted all of your options.**

If you have harmed trust, do the work to rebuild it by sincerely asking the person/hearing how you can rebuild the trust; then do the work they asked of you.
(1/10)
If there is a breach of trust, it is on the person who has breached it to show care & respect in action to repair before their hurts can be addressed - most relationships can be saved.

**excluding domestic violence, sexual abuse, etc. (2/10)
There are many reasons you were attracted to this person, committed to them, (and they to you) honor it. Honor the precious time of your lives you have dedicated to one another. Understand how you experienced yourself with them in the beginning & use that as a source. (3/10)
Read 11 tweets

Trending hashtags

#Trump #Max80 #Winning #Motto #TrySomethingNew #Trust #science #Lagos #Ozark #45DaysOfElvisCostello #JustBurnIt #ProtectDemocracy #FastandFurious #developments #partnerships #BeBest #CarlosSalinas #Baku #Ikorodu #globaldev #cpa #Product #Government #product #JimmyCarter
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!