Tuesday May 01, 2007

SLOTD: the risk of not understanding blogs

Today's SLOTD is a thought-piece - I'm not going to talk directly about the digg.com / HD-DVD key story which you can perfectly-well read about for yourselves and thereby keep more up-to-date with a dynamic story than is possible by reading my witterings; moreover there are many viewpoints on the underlying question of using encryption to "protect" digital media which retailers "sell" (or perhaps "license"?) to everyday people who buy them in aggregate with small shiny plastic disks, and there are wiser people than I who work for Sun who I intend to chivvy about writing about this topic in the future.

Hello, Susan. :-)

However, last week I posted a video about web2.0 security and am in some ways delighted that an example of the gap I didn't cover, coming to the public consciousness so soon.

Our fearless leader two years ago was described and quoted thusly:


Blogging's advantage, from his perspective, is in the transparency and authenticity that nothing else can provide. With more than 1000 company bloggers, people can see inside Sun in ways that are infinitely more valuable than Federal governance regulations. 'Executives are missing a point. There is no perfect truth despite transparency.' He argued that SEC requirements for quarterly reporting is far from as revealing as 1000 Sun bloggers talking about 'the guts of the company,' on a daily basis in a public forum.


From Schwartz' perspective, blogging is not an appendage to Sun's marketing communications strategy, it is central to it. He believes that the 1000 Sun bloggers contribution hasn't just moved the needle for the company, 'they've moved the whole damned compass. The perception of Sun as a faithful and authentic tech company is now very strong. What blogs have done has authenticated the Sun brand more than a billion dollar ad campaign could have done. I care more about the ink you get from developer community than any other coverage. Sun has experienced a sea change in their perception of us and that has come from blogs. Everyone blogging at Sun is verifying that we possess a culture of tenacity and authenticity.'

...and the flipside of that is summed-up in a nutshell: if you manage to do something which trashes your authenticity, makes you look artificial, opaque, plastic, or disrespectful of the members of your community, then you can suffer in a way that hasn't really had adequate comparison since the days of tar & feathers, stocks or other forms of community social humiliation.

Sun Microsystems has its own internal vocabulary, and one of the phrases which used to be common was that of the CNN Moment - a "damaging public infrastructure failure often experienced by dot-com enterprises" which presumably would be big enough and embarrassing enough to end up on the front page of the eponymous website.

What I am finding is less obvious to some of my colleagues (and customers) is that as mainstream media websites become less relevant, blogs and other communities become more relevant in terms of how people will perceive you and your company; and the distributed nature of blogs means that stories don't get retracted, they get amplified.

So nowadays we should fear "blog moments", or perhaps social-tar-and-feathering, since once humiliation is stuck to your brand then it's awfully hard to wash off.

So there's your security risk for today, and its respective mitigation: if you're going to engage with your community then do respect them and don't junk those amongst them with whom you have an issue; instead you need to engage with your community about the underlying problem - eg: "Our advisers think this is a legal risk to us, so we're very sorry but we're suspending this thread until we sort this out..." - and you'll come out of it a lot cleaner, and with fewer feathers.

And sadly there is no shortcut. No amount of firewalls, VPNs, privilege management, cryptography or methodology will save you from the business risk of not "getting it".

- alec

Tuesday Mar 27, 2007

A new direction for blogs.sun.com/security/


One of the biggest challenges that Sun's security community - all of the security community, the kernel folk, the applications folk, the Java evangelists, the hardware geeks, the integrators, the cryppies, the researchers, the legal beagles, the politicians, and the just plain interested - one of if not the greatest challenge is "how can we talk with the customer whilst using a single voice?"

It's easy for product-focused groups; when you create a security widget, hoodjamaflip or doohickey there usually comes a product marketeer who expounds relentlessly about your nifty thing at every opportunity, so that interest catches light and sets aflame many imaginations - and product sales follow.

Or, at least, that's how it's supposed to work. Regarding security, things can be a little different.

The challenge is summed up in the very terminology of Sun's approach to "Systemic Security" - it's inarguable that security is holistic, the summation of good code running on good hardware, properly installed and integrated into its larger environment, with availability, integrity and robustness for all.

So who is your product marketer for the entire stack? Aside from you, who can talk about the wider issues, the architectural big pictures or the knock-on benefits you can get from leveraging one tiny, under-advertised feature of a much larger product like Solaris?

If you are member of the Sun security community, and if you have something to say, where do you go to talk about the whole panoply of security? To where should you direct your voice?

The answer, now, is here, blogs.sun.com/security.

This is not to say that Sun security folk should abandon their own blogs - heavens, no! Absolutely not. No no no no no! That's not the point at all. Please be clear about that. Please keep blogging.

In addition, here at blogs.sun.com/security we hope to provide a point of consolidation, where people can find postings and feeds pertinent to their preferred topics - Security Alerts, Tips, New Products, Announcements of "Pertinent Stuff" internal and external to Sun - where you can find personally written content with a high signal-to-noise ratio, and where you can have conversations through comments, cross-linking, providing the immediacy which is a cornerstone of the modern web.

For the Sun employee: if you want to post something, or if you'd like to see a pointer to something you've blogged be added, then drop us a line via e-mail. We'll be in touch. Promise. In the meantime get a blog on blogs.sun.com, if you've not got one already.

For the non-Sun reader: Sun Alerts will continue to be posted here by the Sun Security Co-ordination Team; so there will be no change there; but if you haven't already, please bookmark this site or add it to your feeds. Articles, pointers to other articles, and suggestions for postings are welcome. Just add a comment.

If you desire strictly alerts-only traffic, all the security Sun Alerts will continue to be posted into the Security Alerts Category, which already has a specific RSS feed at blogs.sun.com/security/feed/entries/rss?cat=%2FAlerts .

Over the coming weeks there will be evolution and change, and you'll be hearing from real Sun people with real interest in security. The sidebar will expand, the header too. We're also looking towards better integration with the www.sun.com/security website. It would be nice to have something approaching a one-stop shop for anyone who wants to know about Sun and our Security offerings.

For now, though, please keep watching. We hope you'll like the changes.

alec (alec.muffett-AT-sun.com)


This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.


« July 2016