Happy New Year! I hope each of you had a great holiday season and that 2012 has started off well for you. I know for me I’m really hoping that this year my life can slow down some but if the first 3 weeks of the year is any indication then I may be in trouble. 
For those of you who don’t know I’ve decided to take a short sabbatical from the Southern Fried Security Podcast. That was one area where I could step away and know that things would be in good hands and still keep some sanity. I don’t plan on it being a long break but don’t know when I’ll be back as of yet.
Now on to the actual reason that I’m writing this post……
As many of you know some hackers released source code for an older version of a couple of Symantec products. Symantec said that it would have no real impact on their customers because the code was for products that were 5 or 6 years old. They also said that the code wasn’t taken from them but from a business partner. I guess their conscious got the best of them because now they have decided to come clean and admit that the data was actually taken from them in a breech of their network. When you read the various articles the picture is still a bit fuzzy. Were they breached recently or 6 years ago? If it was that long ago why are we just now finding this out or worse yet why didn’t they know it until recently. If you read some of the quotes from Symantec spokesperson Chris Paden it almost seems to say that the breach happened in 2006 but they just discovered it. Lots and lots of unanswered questions and questionable comments and actions.
So what’s the point? Honesty, Integrity, Character, Trust. All things that people and companies need to embrace. Let’s face it we are living in hard times right now. Many companies are struggling and doing all they can to keep their heads above water and consumers (individual and business) are looking long and hard at where they are spending their money. They are also looking at the total value for their dollar and they want to know that the company they are doing business with isn’t trying to pull the wool over their eyes. I know that if a company changes their story and is vague on something like this then it says to me that they will do it in other areas and it erodes my trust in them. The same holds true for an individual. If you are not honest in some areas how can I trust you in others?
On Wednesday I noticed that Josh Corman (@joshcorman) posted the following tweet couple of tweets.
joshcorman Joshua Corman
If $SecurityVendor uses deception / social eng to separate you from your $$$, how are they not just another adversary?
joshcorman Joshua Corman
.
@gollmann there are a lot of things $SecurityVendors shouldn’t do. Some abuse the implicit "trusted adviser" expectation more than others
I’m sure most of us have stories of vendors gone wild. Ones who sold you what you didn’t need or what wasn’t right for your environment. Sold you too much or baited you with a little only to hit you with the big stuff later. Maybe they gave you a good deal on what you needed but too you to the cleaners on professional services to make it work. Sometimes it’s the company culture that encourages it and sometimes it just a unscrupulous sales person or a SE who it working off commission and wants a nice Christmas at your expense. The problem still goes back to character, integrity and trust. If they aren’t there then someone will get hurt.
To be fair it also happens on the side of the customer. Often times they will try to take the vendor for all they can get even if it’s lots more than they paid for. Maybe they broke something but they want to get it fixed for free so they will try to make it look like it was defective. I remember one time early in my career we were having problems with a data circuit and in my troubleshooting I determined that the problem was with the smart jack that our T1 terminated at. I called the local telco and put in a trouble ticket and they scheduled a time for a tech to be out to look at it. My boss called and told me to take a paperclip and short out the smart jack. The telco would charge us for a service call if it turned out that the problem wasn’t with their equipment and he didn’t want to risk having to pay. I refused to do it and it turned out that I was right anyway the jack was bad. To me it just wasn’t worth tossing my integrity out the door to possible save the company a couple of hundred dollars. Not to mention the fact that if I did that then what else would my boss expect me to do. It’s a slippery slope and we can’t afford to go down it.
Don’t get me wrong I’m not condemning Symantec b/c I don’t know all of the facts. They just happened to be the one that got me on my soap box. I hope that Symantec is able to clear this up and that we discover that the twisted stories are all the handiwork of a few individuals who can be replaced with people of integrity. I’d hate to know that it was a corporate culture of lying that was behind this. There are already enough companies out there who will do all they can to keep and make more money no matter who it hurts. We have enough “evil” companies out there already and we don’t need more. We need to be people of integrity and we need to demand it of the companies that we do business with.
