<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On 22 April 2014 05:40, Stephen Gallagher <span dir="ltr"><<a href="mailto:sgallagh@redhat.com" target="_blank">sgallagh@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<div><div class="h5"><br>
</div></div>Since you missed the link: <a href="https://www.youtube.com/watch?v=jYGgVUYjXQ8" target="_blank">https://www.youtube.com/watch?v=jYGgVUYjXQ8</a><br>
<br>
I too recommend that everyone gives it a look. It is very insightful<br>
and helpful in understanding what people really do once this gets out<br>
the door.<br>
<br>
Major points:<br>
1) People turn off security features that they can't easily figure out<br>
how to tune.<br>
2) "Hackers" are a significantly smaller security threat than managers<br>
("I need it to work now, we can secure it later!")<br>
3) Recovery and auditing are more important than prevention.<br>
<br>
Those are some of the basics, but it *really* is worth taking the 40<br>
minutes to watch the whole thing.<br></blockquote><div><br></div><div><br></div><div>Uhm that is basic short-term outlook versus long-term outlook and seems to miss the cost it takes to deal with security before, during and after the effect. While the customer can take the point of view that they will turn off stuff because it gets in their way, we as the development side do not have that luxury. The cost of trying to get security into software or an OS is much much higher if we have to deal with it after the fact. This was a lesson that every OS company had to learn the hard way in the 1990's and early 2000's. The Unix companies had to deal with this in the 1990's when it became clear that the security threat landscape was different on a network than it was on a phone line. Just getting firewalls into the OS was a giant challenge and cost the companies a lot in support issues because it wasn't designed or tested with what they had. Microsoft went through multiple quarters of lost revenue and stock drops because they had to get a working firewall and other security measures that weren't really tested in the firstplace. Apple got away with it by buying an OS (NEXT) which had already gone through the 1990's firewall security and other challenges. They had stuff which was already designed in. </div>
<div><br></div><div>To use an example he uses in the lecture... we are building the OS immune system. We can eat dirt during development and make it stronger or we can deal with it later when there is a threat we didn't know about and the OS immune system is screwed later. Saying "oh they can turn it on" misses the fact that we never thought of how it would affect application Y which we made crucial.</div>
<div><br></div><div><br></div></div>-- <br><div dir="ltr">Stephen J Smoogen.<br><br></div>
</div></div>