• United States



Chief Executive Officer, Security Innovation

I want more robots

Apr 10, 20074 mins
CareersData and Information SecurityIdentity Management Solutions

When I think about how much money and time our society invests to reduce susceptibility to malicious (and sometimes just dumb) acts, I get nauseous.  Organizations that produce software, appliances, automobiles, etc.  spend billions of dollars testing their products to reduce the likelihood of a hacker exploiting it or a consumer suing them for using their product in some stupid way.  Don’t we all know we’re not supposed to use a blow dryer in the bathtub, or put hot coffee on our laps after pulling out from McDonald’s drive-thru? I know, I know — it’s not the consumer’s fault… the manufacturer should have taken more precautions with their product… the consumer has a right to sue (another religious battle to argue). Yeah, right, but it’s still a pretty stupid action.

Designers, whether they are software or structural architects, can only factor in what is known today and consider the dumbest and most likely ways that a consumer or attacker could use their product.  I realize this is a religious battle, but how can we expect to hold manufacturers accountable for ALL security defects in their products? I’m reminded of the cliché, “guns don’t kill people; people kill people.”  Has a gun manufacturer ever been sued because a murderer used their product to shoot someone? Should manufacturers be responisble for quality and strive for higher standards — absolutely. Long live W. Edwards Deming! But how far do we take it with respect to security?

Can you imagine all the good uses we could put our time and money toward if we didn’t have to protect ourselves against hackers and idiots — like building a better product with lots of really great features?  I bet my microwave (or my Linux server for that matter) could wash my dirty dishes if more effort were spent on feature enhancement. And I’m confident we’d see a lot more robots in everyday use (don’t get me started on Japan’s culture and the relative violent crime ratios between there and the US).  Imagine going to an airport where you experienced a quick and non-hassled walk to your airplane and parking was free because airlines and airports didn’t have to shell out millions of dollars in security.  What a waste.

Yes, TJX was negligent in their efforts to install and maintain secure information systems, but we also have to remember that they were the victim of a crime — yes, a victim, not the criminal. Unfortunately, their poor judgment caused millions of others to become victims, too, and for that they will probably be punished with some hefty fines and settlements (and rightly so). But they didn’t perpetrate a crime… their weak systems were exploited _by a criminal. I’m no apologist for poor information security systems, but we shouldn’t be making criminals out of victims. The Stop & Shop heist was a real shame because that company was doing so much right and making so many investments to secure their infrastrucutre, and then *wham!* a clever group of crooks hits a soft spot in their POS systems. Tsk, tsk…

And the costs of information security breaches are not trivial. Remember the incident at UCLA just a few months ago (December 2006)? UCLA administrators admitted that a hacker had been accessing campus databases containing Social Security numbers and other personal information of some 800,000 staffers and current, former, and prospective students. The cost of notifying all the affected people: an estimated $10 million. So much for that new hi-tech computer lab at UCLA.

Of course, there are also some dumb decisions that lead to incident costs: how ’bout that dandy promotion McDonald’s ran last August in Japan where they gave away 10,000 Mickey D’s-branded MP3 players? The players came preloaded with songs and, on occasion, a version of the QQPass Trojan. The virus crawls a machine when connected — it captures passwords, user names, and other data and then forwards the info along to hackers. Whoops! Shoulda checked those MP3 players before handing them out! More cost and time to protect ouselves against people trying to steal from us.

I never thought I’d see the day that my job would rely on bad and dumb people.  They keep my paycheck coming along, but I think the world is better off without them.

Chief Executive Officer, Security Innovation

Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO, Mr. Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts to help organizations understand the risks in their software systems and develop programs to mitigate those risks. The company has delivered high-quality risk solutions to the most recognizable companies in the world including Microsoft, IBM, Fedex, ING, Sony, Nationwide and HP.