Dear infosec (pardon the thread),
Don't celebrate too hard at the thought of jailing CEOs for failing to protect data. First, it won't pass. Even if it does, it won't mean what you might think. It won't create a SOX style environment around cyber. Sorry 1/ gizmodo.com/wyden-unveils-…
What's far more likely to happen is that GRC will rule infosec. If there's anything we don't need, it's more paperwork for paperwork's sake.
It will also bring an end to the lack of licensure in infosec. Ever wonder why there are so many requirements to be a CPA? 2/
Hint: it's not because CPA is old and infosec is new. At least part of the difference is that screwing up accounting results in jail time for someone. Screwing up infosec usually means you update your resume, blame your boss for insufficient resources, and move. 3/n
Sure that's cynical, but I don't think it's far off. Professional licensure is not good for a profession this young. If you think I'm wrong, just look at what CREST has done overseas. It's an unofficial infosec taxation body that stifles innovation. 4/n
For better or worse, anyone in the US can start an cybersecurity consultancy. Not so in many areas - you have to wade through CREST requirements to get meaningful work. CREST talks about how this protects members. It certainly does. But it hurts the community as a whole. 5/n
Ever wonder why you never hear about "the DEFCON of accounting conferences?" That's because it doesn't exist. Generally speaking, professions with legally mandated professional bodies don't have gatherings like that. I'm not advocating for being idiots, but for innovation. 6/n
Lots of innovation occurs when people can try new ideas in a (mostly) judgment free zone. That won't happen under this sort of legislation. Old IT nerds know the adage "nobody ever got fired for buying IBM." Expect more technology consolidation under this too. 7/n
While getting fired for picking the wrong technology stack is bad, going to jail is far worse. Go ahead and say "the bill is just about making executives accountable." Sure, on the surface that is true. It's something we've been asking for in infosec for a while now. 8/n
But let me suggest that you should think about the probable ripple effects. They aren't small. They'll be felt throughout the infosec community. Before saying "make executives accountable for cybersecurity" make sure that's really what you want. 9/n
BTW, this isn't an attack on Wyden. I generally love his ideas and even this one is well intentioned. He's trying to do right by "the people" while I'm looking at the health of an industry (an erosion of which will eventually hurt the people). /fin
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Quick public presenting tips:
* Know whether you're projecting or streaming and use appropriate slide templates for each. Dark backgrounds that look awesome streaming won't project worth a darn.
* Know your audience and connect with them using some common touch point 1/
* Plan less material than you think you'll need. It's FAR more common that you'll run long than run short. Even experienced presenters find themselves with too much material for the time allotted
* No eye chart screenshots if you intend for the audience to see something in it 2/
* Use a larger font size than you think you need. Seriously. Every time. This helps people understand your presentation, but it also limits how much text you can put on a slide
* Every slide has a theme. Put that theme in the title to orient (or reorient) the audience 3/
A 🧵: This morning, I was in a @lyft when a car accelerated and made an aggressive last second lane change, cutting off my driver. My driver had to slam on the brakes and honked his horn. By the next light, it was obvious the dangerous driver was an off duty NYPD officer 1/
I know this because he changed lanes again and held back in his lane so he could be parallel to our car. The driver was an officer in uniform who was yelling and wildly gesticulating out the window at my driver. He was clearly pissed to say the least. 2/
My driver immediately moved his hands high on the wheel and faced forward. He wouldn't look over at the now screaming officer who looked like he might get out of the car at any second (it looked like he unbuckled his belt). Thankfully, the light changed and we drove away. 3/
Given all the science denying, I mean "vaccine debates," I wanted to come clean about something:
At the beginning of the pandemic, I told my own daughter if they developed a vaccine in less than 12 months I'd be highly skeptical and probably wouldn't take it.
I regret that. 1/
A vaccine *was* developed rapidly and after looking at the science, it was undeniably safer than risking even an asymptomatic COVID case. Before anyone says "bah, you don't know the long-term risks of the vaccine" you're 100% right. Nobody does. 2/
But I'll counter that you don't know the long term risks of (even asymptomatic) COVID. I've looked at the science on both. On the vaccine front, there's nothing but anecdotes and fear.
But on the COVID front? There's a LOT there. Brain swelling is never good. Ever. 3/
Interview advice: if your Zoom/email/whatever avatar is any derivative of the Punisher logo, you're making a horrific* first impression. Even if the hiring manager doesn't care, they know others likely will. 1/
*unless you are interviewing for a job as a vigilante
This goes for all sorts of logos/backgrounds/whatever. But know that anything depicting skulls/death/violence is especially triggering for some folks. It's not for me, but I'm always thinking "will this potentially offend a customer?" If yes, you're fighting uphill... 2/
Feel free to explain why I shouldn't care, then go start your own business and connect back with me in a few years.
But forget the business side, think about people. You aren't likely to be more considerate to customers than a hiring manager. Hiring managers know this. 3/
If @GitHub (Microsoft) truly believes copilot isn't infringing on anyone's work, I want to offer them a chance to prove it: I'll donate $50k to a charity of their choice (or @EFF if we can't agree) if they release a Copilot version trained solely on Windows kernel source. 1/
This isn't a joke. It would be amazingly helpful for device driver developers. This in turn would ostensibly benefit Windows users through fewer BSODs. Add the charity money in and there's literally NO REASON not to do it. 2/
So let's set some ground rules:
Independent verification that the newly released model is only trained on kernel source
It's the full kernel source, from all versions (leave Win2k out if you want due to that pesky Java thing)
All kernel drivers owned by MSFT are included too 3/
If you're forcing someone to print and sign a document, understand that you're hurting the underprivileged who don't own or have easy access to a printer. I'm traveling this week and HAD to print something. My friend's printer is broken. This was the cost for ONE PAGE. 1/
Now that's not hurting me a bit, but also recognize it's not the total cost. The nearest place advertising self service printing was Staples, and thankfully I have a car. I'm still out just over an hour + gas costs all in. With public transit, double that (or more). 2/
The money doesn't matter. The time does though. And while my time is more valuable (measured by hourly rate), the time impact to someone underprivileged is much higher. "Pull yourself up by your bootstraps" only works if you don't rob them of time. /3