Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 2

Transparency & Backpedaling

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

Good morning, everybody Monday morning, June 4th of June 4th of June 4th. Want to talk to you today about transparency and backpedaling insecurities. The reason why I added back peddling in there was there was a report over the weekend on Facebook and the continuing data Scandal on this thing's been stretching out for months and it just seems to have that perfect sort of media beat.

We're just when it dies down enough. It pops right back up with something else to Facebook failed to disclose or wasn't completely truthful about this time. It's their agreements with Device manufacturers of the New York Times and I'll link to that below and I'll tweet that out at Mark and basically the gist is they had a grievance with 60 plus device manufacturers that they provided private access to a special API to help integrate Facebook into the devices on Android on iOS Things so that you can see various share capabilities throughout the entire operating system also provided a bunch of consent a bunch of consent at to third parties, even if they had to order friends of friends and things like that, even if they it explicitly denied that access so as me saying don't share my info with third parties this API ignore that settings and share that information with third-parties anyway, because Facebook consider them part of the platform.

Lashley 3rd parties and while I'm sure legally they're covered. There's a huge difference as we talked about on the show before there's a huge difference between being legally covered in doing the right thing and when it comes to security, it's all about transparency when you're dealing with your users.

You don't have to tell them. Hey, this is how we do a bitwise shift on every packet header. You don't need to do in-depth technical things that you need to tell me. What you're doing the reason why I want to talk about this today besides just a Facebook announcement that where the media story around that was this week.

I'm at the Gartner risk and security Summit in DC be there tomorrow giving a talk around Security in a devops world. And I know I didn't write this original title or the submission of stepping in for for a colleague of mine, but he did write the talking where I'm taking that talk is really because it's mainly Security Professionals.

I'm at this conference is to really dive into though. I can't you need to shift your perspective. You need to shift how you handle the soft side of security in the south side is the people in her face and this example from Facebook is a perfect one where they said you can imagine discussion to legally.

This is just me speculating, but you can imagine the discussions internally were there like while legally were allowed to do this and you know, it makes total sense from a technical perspective and maybe maybe hopefully someone in bathroom so I shouldn't tell people or should we implement this additional privacy later though.

I don't know we can do this. Fine, don't worry about it. I've heard those discussions internally in organizations when they're talking about implementing new security controls very little regard for the user or they take one line of thought and justify that's how it's going to go for an hour because you have technically it's possible or it's not supposed to be intrusive personally.

My experience has been the more transparent. You can be the more out in the open with your users the better off you're going to be in that simply because people like to know what's going on, even if they don't need to know the very specifics of exactly how it's technically implemented telling people you've implemented something like filtering all the web traffic but hey, we put exceptions in for your banking so that that didn't even get looked at it on automated system or a all of your email when it comes in as scanned by a set of systems to look for these types of threats, but we're not worried about the fact that you're arranging.

I mean on movie night with the guys or your setting up your your pick up tennis game or whatever it is. I don't know if they do pick up tennis, but I was playing Mario Tennis this week my mind. But you know, that's the thing is just letting people know the principles of what's in place so that you can have an open and honest discussion about it.

But also people understand like I'll wait a minute. I know why you're doing that. It's for our safety because you're going to block this stuff and block this. But it's up person looking at all my data it's a system and I'm okay with that because you told me as opposed to not telling them and then finding out something some way through an HR complaint where the problems that will we know you did this online and was what your modern my traffic.

I've no idea. So even if it's legally possible you can get away with it with terms of service for users. Even if it's corporate policy still telling people is important because that engenders trust security is all about trust privacy is all about trust in the more transparent. You can be the better off you'll be in the long-term.

So that's my rant for today despite the fact that the calls coming in if you're ripping out of the speaker not the reason we're wrapping up but I think that's the end of it. Hit me up online at Mark and Cai in the comments down below or on email is always meet at Mark and.

CA. What do you think about transparency? How do you tackle it? How do you move forward? Let me know. Hope you're set up for a fantastic Monday depending on how the summit scheduling goes. I might not be on air tomorrow Tuesday, but I'll be tweeting live throughout the day and then back on on Wednesday.

Will talk to you soon take Good morning, everybody Monday morning, June 4th of June 4th of June 4th. Want to talk to you today about transparency and backpedaling insecurities. The reason why I added back peddling in there was there was a report over the weekend on Facebook and the continuing data Scandal on this thing's been stretching out for months and it just seems to have that perfect sort of media beat.

We're just when it dies down enough. It pops right back up with something else to Facebook failed to disclose or wasn't completely truthful about this time. It's their agreements with Device manufacturers of the New York Times and I'll link to that below and I'll tweet that out at Mark and basically the gist is they had a grievance with 60 plus device manufacturers that they provided private access to a special API to help integrate Facebook into the devices on Android on iOS Things so that you can see various share capabilities throughout the entire operating system also provided a bunch of consent a bunch of consent at to third parties, even if they had to order friends of friends and things like that, even if they it explicitly denied that access so as me saying don't share my info with third parties this API ignore that settings and share that information with third-parties anyway, because Facebook consider them part of the platform.

Lashley 3rd parties and while I'm sure legally they're covered. There's a huge difference as we talked about on the show before there's a huge difference between being legally covered in doing the right thing and when it comes to security, it's all about transparency when you're dealing with your users.

You don't have to tell them. Hey, this is how we do a bitwise shift on every packet header. You don't need to do in-depth technical things that you need to tell me. What you're doing the reason why I want to talk about this today besides just a Facebook announcement that where the media story around that was this week.

I'm at the Gartner risk and security Summit in DC be there tomorrow giving a talk around Security in a devops world. And I know I didn't write this original title or the submission of stepping in for for a colleague of mine, but he did write the talking where I'm taking that talk is really because it's mainly Security Professionals.

I'm at this conference is to really dive into though. I can't you need to shift your perspective. You need to shift how you handle the soft side of security in the south side is the people in her face and this example from Facebook is a perfect one where they said you can imagine discussion to legally.

This is just me speculating, but you can imagine the discussions internally were there like while legally were allowed to do this and you know, it makes total sense from a technical perspective and maybe maybe hopefully someone in bathroom so I shouldn't tell people or should we implement this additional privacy later though.

I don't know we can do this. Fine, don't worry about it. I've heard those discussions internally in organizations when they're talking about implementing new security controls very little regard for the user or they take one line of thought and justify that's how it's going to go for an hour because you have technically it's possible or it's not supposed to be intrusive personally.

My experience has been the more transparent. You can be the more out in the open with your users the better off you're going to be in that simply because people like to know what's going on, even if they don't need to know the very specifics of exactly how it's technically implemented telling people you've implemented something like filtering all the web traffic but hey, we put exceptions in for your banking so that that didn't even get looked at it on automated system or a all of your email when it comes in as scanned by a set of systems to look for these types of threats, but we're not worried about the fact that you're arranging.

I mean on movie night with the guys or your setting up your your pick up tennis game or whatever it is. I don't know if they do pick up tennis, but I was playing Mario Tennis this week my mind. But you know, that's the thing is just letting people know the principles of what's in place so that you can have an open and honest discussion about it.

But also people understand like I'll wait a minute. I know why you're doing that. It's for our safety because you're going to block this stuff and block this. But it's up person looking at all my data it's a system and I'm okay with that because you told me as opposed to not telling them and then finding out something some way through an HR complaint where the problems that will we know you did this online and was what your modern my traffic.

I've no idea. So even if it's legally possible you can get away with it with terms of service for users. Even if it's corporate policy still telling people is important because that engenders trust security is all about trust privacy is all about trust in the more transparent. You can be the better off you'll be in the long-term.

So that's my rant for today despite the fact that the calls coming in if you're ripping out of the speaker not the reason we're wrapping up but I think that's the end of it. Hit me up online at Mark and Cai in the comments down below or on email is always meet at Mark and.

CA. What do you think about transparency? How do you tackle it? How do you move forward? Let me know. Hope you're set up for a fantastic Monday depending on how the summit scheduling goes. I might not be on air tomorrow Tuesday, but I'll be tweeting live throughout the day and then back on on Wednesday.

Will talk to you soon take