Profile picture
Perry E. Metzger @perrymetzger
, 17 tweets, 3 min read Read on Twitter
Today's news about the Marriott breach should finally drive home a lesson that has been missed for years now: "we've been doing what every other big company does" means you are insecure and have to change your ways, because the median large company has terrible security. 1/
If you're hiring the sort of FTE security people your competitors have been hiring, following the sorts of practices other similar sized firms follow, buying the sort of products they buy, you're doing it wrong. 2/
"We can't be blamed, we just do what everyone else does" is oxymoronic. Under current circumstances, if you're doing what everyone else does, you're blameworthy, because at this point the experiment has been done, and the message reality is sending you should be clear. 3/
You need to hire much smarter, much more technically skilled security people. Security people who have lots of security certifications but can't program and don't know how the network works aren't going to cut it, even though you've hired a lot of them. 4/
You need to start patching your systems within hours, not within weeks or months or never. If your business people say "but that risks downtime!" then you need automated test systems to assure things stay up after patching. 5/
(And if you don't yet have automated tests, you need patch without them. And if you don't think you have budget to do automated testing, then you probably don't have budget to stay in business. Really. You can't do this halfway in the modern world any more.) 6/
You have to stop cargo cult practices like making employees use two exclamation points but no percent signs in their passwords that you've length-limited. That's not how people are breaking in to your systems. And you have to stop training your own employees to be phished. 7/
Why aren't all your people using two factor authentication? No, SMS doesn't count as a second factor. Why aren't all your systems backed up, it's <currentyear>? Why did you make a "strategic decision" not to patch an outward facing system "because we're not a target"? 8/
Read the newspaper. If business as usual worked, huge companies wouldn't be broken into every day. Quit hiring on the cheap, quit telling your security people "no, we can't do that", quit hoping that you'll avoid being front page news if you ignore security. 9/
And seriously, if your current advisers are telling you to do the same things that get every other company in sight victimized, maybe they're not giving you good advice. Maybe instead of buying magic pixie dust products you should patch your machines same day and use 2FA. 10/
And maybe if this was easy huge companies with big budgets wouldn't have their customer databases looted on a regular basis. In <currentyear>, you're an IT company no matter what your customers are buying from you. Budget appropriately. Quit being an ostrich. 11/11 for now
Addendum 1: Why do so many companies hold back desktop updates for months or years? It's not like you have a better test lab than your OS vendor (unless you're Google. But you're not Google.) If you get desktop failures, you can use the support contract you paid a fortune for. a/
Yes, sure, maybe when the new version comes out you pilot it for a week on the IT department's machines just in case, and then roll it out slowly. But so many places are running years behind, not weeks, and it's mostly because of fear. b/
But the thing is, you're less safe, the pain is going to come sooner or later, you still have problems because you have no bug fixes, and your users make fun of you because even their grandpa stopped using that version of the OS years ago. c/
If you have a fully automated test lab and can run all the patches through their paces, go for it, but if you're delaying so people don't blame you as much when things fail, well, they're still going to blame you. And adding latency to a change process doesn't make it safer. d/
Oh, and btw, adding more managers to the sign-off part of the change control process doesn't add quality, it only adds latency. If the manager has no special automated test system to check the patch, he's just putting his finger in the air like you are. There's no point. e/
Committees, forms and bureaucracy don't actually test the software. If you're worried about failures, then build a test system. If you don't think you can manage that, quit lying to yourself and update already. You have a support contract for a reason. f/f for now
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Perry E. Metzger
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @perrymetzger see all

Profile picture
I finally realized one of the things that bugs me about most security "certifications" out there. Computer security is warfare. No, really, it's war. There's an opponent who doesn't care about you, doesn't play by the rules, and wants to screw you as fully as possible. 1/
Now, you can do pretty well as a programmer or sysadmin if you're middle of the road, because that's not an adversarial game. Security _is_ adversarial. In warfare, you don't survive if you're second rate, you die. 2/
You don't want to fight for a second rate general, either, he'll get you killed. Computer Security is pretty much the same deal. There's a smart, skilled, ruthless opponent, and you need to be smarter, more skilled, more ruthless. 3/
Read 15 tweets
Profile picture
A tweet thread on why it's probably a good idea to document your open source project. 1/18
Recently, I had an online interaction with a brilliant programmer who contributes a lot to open source projects. A while ago, I found myself faced with a piece of software they had written which no longer worked. 2/18
I absolutely *needed* that piece of software to finish a crucial research project. So I tried desperately to fix it. And I couldn't fix it. I tried for a couple of weeks solid, but I couldn't. 3/18
Read 18 tweets
Profile picture
I think cryptographers working on blockchains have come up with loads of fascinating new ideas. However, the touts, conmen, religious fanatics, etc. involved in these things aren't really capable of having honest discussions about the flaws and strengths. 1/
One of the biggest misconceptions these people often have is the notion that the existing financial services industry is woefully inefficient compared to (say) bitcoin, when the opposite is true. 2/
Another frequent claim is the financial system can't do some interesting thing (store value safely or well, move transactions internationally inexpensively, safely and efficiently clear and settle large transactions), when the existing banking system does these things better. 3/
Read 8 tweets

Related threads

Profile picture
japantimes.co.jp/news/2018/11/2…
apnews.com/9ba57ad1383f41…
SocGen To Pay $1.3 Billion To Settle US Sanctions Violations Against Iran, Sudan And Cuba
zerohedge.com/news/2018-11-1…
Read 37 tweets
Profile picture
I would really appreciate it if people would report this block-evading stalker for targeted harassment, and remind me how to properly report crap like this from someone who has you blocked. Or to the police, at this point.
I'm legitimately afraid for my life right now but since I don't have any real recourse in the matter, I can at least use this right here as an object lesson in unconnected hate groups and bigots who have nothing in common but their targets still regularly coordinate joint attacks
The most visible thrust of today's attack is coming from Jessie Singal, who has been a bit obsessed with me for several years now, and presumably doesn't need a tremendous push for him to sic his roughly 41,000 followers on me.

I'm fairly sure though I don't have so dedicated a
Read 27 tweets
Profile picture
For years, folks have been arguing that there’s no way to separate the #GTMO military commissions from the prior torture of the detainees now being tried.

Today’s (surprising) ruling from Judge Pohl seems to drive home that argument—and spells real trouble for the government...
Indeed, I don’t think it’s an exaggeration to suggest that one of the (many) factors in pushing the government toward trying these cases at #GTMO in the first place was concern over how the shadow of CIA torture might infect evidentiary rulings like this one—from civilian courts.
And assuming the government appeals this ruling to the Court of Military Commission Review (under 10 USC § 950d(a)(2)), that will presumably only further delay the (inexorable) pre-trial proceedings in these cases, perhaps substantially...
Read 3 tweets
Profile picture
1. For those wondering about the cancellation of the military parade, Trump's tweet today is very informative and the whole thing can be explained using my First Rule when it comes to understanding Dems/socialist/Marxists.

First rule: LEFTISTS ARE NOT CAPITALISTS
2. The leftists that control the city of DC just sacrificed possibly 100's of millions in economic activity for a talking point. You see from a leftist POV it's a win-win for them to drive up the costs of the parade, instead of trying to get it for the lowest cost.
3. If the fed gov pays their extortion, the left will have a talking point of how much taxpayer money Trump's parade costs. If the fed gov doesn't pay, they don't have a military parade (reducing patriotism, causing Trump to have a "defeat")
Read 8 tweets
Profile picture
1. QAnon June 21 2018:

Organized riots being planned.
Counter measures in
place.

#QAnon @POTUS #News #Trump #TrumpTrain #Patriots #Pray #Fight #PainComing #EVIL #Immigrants #Children #BewareOfPlannedRiots
2. Rush: Border Separation 'Entirely Manufactured Crisis'.
"This has been going on for years. It happened during the Obama admin. Nobody said a word.. newsmax.com/politics/borde…

#QAnon @POTUS #News #Trump #Patriots #Pray #Fight #EVIL #FakeNews #Immigrants #BewareOfPlannedRiots
3. Liberal Hacks Attack Gov Mike Huckabee for Denouncing MS-13 Killers and Rapists thegatewaypundit.com/2018/06/figure…

#QAnon @POTUS #News #Trump #TrumpTrain #Patriots #Pray #Fight #Parents #Immigrants #Illegals #Children #BewareOfPlannedRiots #EVIL
Read 48 tweets
Profile picture
Home
no one leaves home unless home chases you
fire under feet
hot blood in your belly
it’s not something you ever thought of doing
until the blade burnt threats into
your neck
and even then you carried the anthem under
your breath

#home #warsanshire #poems
#WhereAreTheChildren
only tearing up your passport in an airport toilets
sobbing as each mouthful of paper
made it clear that you wouldn’t be going back.

you have to understand,
that no one puts their children in a boat
unless the water is safer than the land
no one burns their palms
under trains
beneath carriages
no one spends days and nights in the stomach of a truck
feeding on newspaper unless the miles travelled
means something more than journey.
no one crawls under fences
no one wants to be beaten
pitied
Read 8 tweets

Trending hashtags

#siteci #local #Today #MMIW #poems #Resist #FearLesOndes #MusicSermon #bcopli #Reconciliation #VoteRepublican #nation #sports #EyesOpen #FPIC #TrumpProtest #Obama #Immigrants #News #home #America #BCUC #cdnpli #mariellepresente #IrishinArizona

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!