[Discuss] Most common (or Most important) privacy leaks

[Mike Small]

Bill Horne <bill at horne.net> writes:
...
> People care a lot about their own privacy. The problem is that, by and
> large, it's /only/ their own privacy that they care about.
...
>
> So long as "security" must be implemented with the cooperation of men
> and women who resent their station in life and their poor prospects
> for the future, it will be a serious problem. As Bruce Schneier so
> aptly pointed out (when critiquing the TSA's policy of confiscating
> bottles of liquid) - "There's no penalty for failure". In other words,
> so long as the consequences of lackadaisical behavior are borne by
> anonymous stockholders instead of the perpetrators, we lose.

It's not confined to lower level positions in my experience, this kind
of failure. I point out problems to my bosses as I see them and try to
be as clear and convincing as I'm able, but at the end of the day I can
do nothing more than let them know and hope some external factor prods
them to remember and act on my advice some day.  The company has a
security policy document and a way to report problems farther up the
management hierarchy but having read it I'm not convinced it can protect
me from retribution or hard feelings over bypassing local authority. Nor
do I have any reason to believe the institution as a whole or the top
brass would respond any better (on the contrary...) or to believe their
security policy is anything more than a ticked off checklist item among
current management practices companies are expected to have in place
before going public.  I can try to do my best not to write insecure code
and to fix local security bugs when I see them, but issues requiring
management buy in and coordination are out of my hands.

-- 
Mike Small
smallm at panix.com