[Cryptography] Trusting companies has nothing to do with the companies

[Dan Kolis]

I read the last rattle on's about companies and deviations from best
practices for security in routers, other stuff sold like that.

Heres the simple reality: Upper management don't care in the
slightest about details of products, regarding security or features.

The only two questions are: How much and when.

Some unnamed, unloved techno-grunt deep in the company entirely defines its
approach toward security for whatever product he/she manages. All there
emails and memos about security, are politely files and never read.

If some bad thing happens, they are used to blame them, independent of
content.

You can't trust s/w you can't see, even if you see it, you probably don't
see all of it. And the pretence of looking after end user interests is
entirely superficial window dressing. the management that make that
entirely care you believe it. Whether it's true, means nothing to them.
They do hope it's true, as long as it doesn't cost anything to achieve or
generate a delay to actually do. Testing is the ultimate in an
unnecessary expense. Pretending to test, again, is very important. Why test
? If it fails, customers will send you messages.

Security is definitely a super yawn issue, the very lowest of the low for
concerns. There's lots of other situations, people, systems or warning to
blame besides the stuff you made. Why not spend to fix a pothole in the
parking lot instead ? That's visible.

So SImple.
Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200711/eb612ab9/attachment.htm>