This even happens when there is not nearly as much status difference between the two.
I was once tasked to work with TPM 2.0 provisioning in an embedded position. They specifically chose me and pulled me from another team because of my skills in cryptography (I wrote Monocypher). Fast forward a couple weeks, I notice that the way the provisioning was specified, it would allow us to provision a fake TPM without noticing. My team lead didn’t believe me.
Sometimes later we had an actual provisioning procedure in place, and what do you know, it worked to completion even with a fake (software) TPM and a real certificate from the manufacturer. Because, well… we just didn’t compare the relevant public keys. My team lead was still sceptical.
I had to mention the issue in a meeting with some higher-ups and the security guy to be allowed to fix the problem. I believe this goes a bit deeper than a status game. I think it’s downright magical thinking: this hope that ignoring problems (especially vague threats like security vulnerabilities), could make the problem actually disappear.
Definitely some of that. but in Kevin's day it was most likely a team of IBM blue suits, white shirts, and red ties vs. Kevin in whatever he found to wear.
I was once tasked to work with TPM 2.0 provisioning in an embedded position. They specifically chose me and pulled me from another team because of my skills in cryptography (I wrote Monocypher). Fast forward a couple weeks, I notice that the way the provisioning was specified, it would allow us to provision a fake TPM without noticing. My team lead didn’t believe me.
Sometimes later we had an actual provisioning procedure in place, and what do you know, it worked to completion even with a fake (software) TPM and a real certificate from the manufacturer. Because, well… we just didn’t compare the relevant public keys. My team lead was still sceptical.
I had to mention the issue in a meeting with some higher-ups and the security guy to be allowed to fix the problem. I believe this goes a bit deeper than a status game. I think it’s downright magical thinking: this hope that ignoring problems (especially vague threats like security vulnerabilities), could make the problem actually disappear.