Tuesday May 01, 2007

SLOTD: the risk of not understanding blogs

Today's SLOTD is a thought-piece - I'm not going to talk directly about the digg.com / HD-DVD key story which you can perfectly-well read about for yourselves and thereby keep more up-to-date with a dynamic story than is possible by reading my witterings; moreover there are many viewpoints on the underlying question of using encryption to "protect" digital media which retailers "sell" (or perhaps "license"?) to everyday people who buy them in aggregate with small shiny plastic disks, and there are wiser people than I who work for Sun who I intend to chivvy about writing about this topic in the future.

Hello, Susan. :-)

However, last week I posted a video about web2.0 security and am in some ways delighted that an example of the gap I didn't cover, coming to the public consciousness so soon.

Our fearless leader two years ago was described and quoted thusly:

redcouch.typepad.com

Blogging's advantage, from his perspective, is in the transparency and authenticity that nothing else can provide. With more than 1000 company bloggers, people can see inside Sun in ways that are infinitely more valuable than Federal governance regulations. 'Executives are missing a point. There is no perfect truth despite transparency.' He argued that SEC requirements for quarterly reporting is far from as revealing as 1000 Sun bloggers talking about 'the guts of the company,' on a daily basis in a public forum.

[...]

From Schwartz' perspective, blogging is not an appendage to Sun's marketing communications strategy, it is central to it. He believes that the 1000 Sun bloggers contribution hasn't just moved the needle for the company, 'they've moved the whole damned compass. The perception of Sun as a faithful and authentic tech company is now very strong. What blogs have done has authenticated the Sun brand more than a billion dollar ad campaign could have done. I care more about the ink you get from developer community than any other coverage. Sun has experienced a sea change in their perception of us and that has come from blogs. Everyone blogging at Sun is verifying that we possess a culture of tenacity and authenticity.'

...and the flipside of that is summed-up in a nutshell: if you manage to do something which trashes your authenticity, makes you look artificial, opaque, plastic, or disrespectful of the members of your community, then you can suffer in a way that hasn't really had adequate comparison since the days of tar & feathers, stocks or other forms of community social humiliation.

Sun Microsystems has its own internal vocabulary, and one of the phrases which used to be common was that of the CNN Moment - a "damaging public infrastructure failure often experienced by dot-com enterprises" which presumably would be big enough and embarrassing enough to end up on the front page of the eponymous website.

What I am finding is less obvious to some of my colleagues (and customers) is that as mainstream media websites become less relevant, blogs and other communities become more relevant in terms of how people will perceive you and your company; and the distributed nature of blogs means that stories don't get retracted, they get amplified.

So nowadays we should fear "blog moments", or perhaps social-tar-and-feathering, since once humiliation is stuck to your brand then it's awfully hard to wash off.

So there's your security risk for today, and its respective mitigation: if you're going to engage with your community then do respect them and don't junk those amongst them with whom you have an issue; instead you need to engage with your community about the underlying problem - eg: "Our advisers think this is a legal risk to us, so we're very sorry but we're suspending this thread until we sort this out..." - and you'll come out of it a lot cleaner, and with fewer feathers.

And sadly there is no shortcut. No amount of firewalls, VPNs, privilege management, cryptography or methodology will save you from the business risk of not "getting it".

- alec

About

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
7
8
9
10
11
12
13
14
16
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today