Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/12/2010
02:05 AM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

We Have Nothing To Say -- Or Do We?

The first rule of appearing smart, they say, is to keep quiet, but keeping quiet doesn't help your PR. What are you to do?

The first rule of appearing smart, they say, is to keep quiet, but keeping quiet doesn't help your PR. What are you to do?This is the third in my series of posts on security PR (see "How To Talk To Reporters" and "How To Disclose A Vulnerability," plus "The Secret Sauce For Security Blogging"),

In that third post, I discussed how writing from on the ground so that people feel more engaged with your writing, as well as sharing real data along with your analysis, assures people that you know what you are talking about, and allows readers to participate.

In these two notions lays the secret of having something smart to say to the press. Specifically, marketing is always frustrated with having nothing new to say, and R&D is always frustrated with marketing being stupid (as they see it) and not getting them coverage that matters.

The key is communication. Marketing is looking to publish information on new products and new sales. So R&D is pressured to meet deadlines. R&D is looking for the branding -- they are even more keyed to it than the marketing department. Only they call it winning the respect of their peers.

As Avi Freedman once put it to me on a long drive from Boston to Philadelphia while drinking gallons of cherry cola, "People constantly underestimate how much geeks want the approval and respect of other geeks."

The respect of others entails something interesting, and something real.

On the ground level, you have the security researchers and the R&D developers. Humans are social beings, and therefore they don't just look at code all day. They share news stories, talk about something they encountered, and discuss something cool they've just seen or done.

You won't always have a new vulnerability to share with the world.

Your job is to befriend and listen to the technologists:

    1. Have they found something interesting in how old vulnerabilities are being exploited? 2. Have they seen new attacks coming from somewhere in the world? 3. Is there a new trend in what types of targets are chosen? 4. Is there an interesting news item that you would like someone from your company to be heard on? 5. Or more specifically, are they excited about something while meeting in the kitchen to make coffee?

You won't always land gems, but you will establish the infrastructure for finding out when the gems are there.

Don't immediately pressure technologists to write, but show interest in what they say and try to understand why it's exciting.

While it's OK to ask directly -- people should know what you are interested in -- just try and be friendly and see if something pops up.

Once you find such an interesting topic, you can encourage the technologists to make something of it. For example, if they merely implemented something in an interesting fashion, encourage them to blog about it and promise to help with editing. Their experience in solving the problem would interest their peers. In a way, what you are doing is coaching them on how to get their name out there so that they choose to write in the future.

By establishing the relationship, and the blog, you will both find new interesting things to say, as well as establish the branding of the blog so that reporters visit it often.

R&D time is often protected, especially with the pressure you put on them to meet deadlines. Try and be open about how important PR is and how you think the R&D can help. Bring the Big Wig on board, ask that researchers and developers be encouraged to write in the blog, and make it something they want by ensuring the higher-ups show interest in new blogs, which will make sure everyone else is excited to get a good blog written.

Another option is to create a project to get people to center their excitement around. For example, in one company I worked for I hired a few comic strip artists and encouraged technologists to come up with ideas for new comic strips. Whenever someone got excited about something, they'd try and see how it fits in a strip. It was fun for everybody, and we often even met outside of work hours to brainstorm it.

Convincing management that such blogging matters may not be easy, and will be what decides if you will be able to be extremely successful with a blogging strategy, or just have access to what's really interesting, which on occasion you will be able to utilize. It's a win-win situation either way.

Establish communication. Get excited. Then write about it.

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...