Profile picture
Jake Williams @MalwareJake
, 7 tweets, 2 min read Read on Twitter
I'm writing a new blog post but I need some help. We have a problem in the tech industry with consent vs. informed consent. Problems with confusing the two are not unique to infosec. Medicine has been practiced for millennia, but informed consent is at best ~50 years old. 1/n
Legalese terms of service can't be comprehended by a large percentage of a user base. Even if you understand what is being collected, do you understand how it will be used? A patient can't give informed consent without a discussion of risk. 2/n
Doctors don't routinely downplay risk in a procedure. This comes from two sources:
1. Liability
2. In most cases (electives are a counter-example), the doctor has a product (the procedure) the patient needs

These do not hold true in the technology field. 3/n
In the tech field:
1. There doesn't seem to be meaningful liability for failing to protect data (or the user)
2. You have something the user wants, not needs (in most cases).

The dynamic creates a perverse incentive to downplay risk, neutering the concept of informed consent 4/n
So I've laid out the problem as I see it, but I don't have a solution. The problem statement is: How do we get to a place where informed consent in technology is actually informed? 5/n
Here's what I'm sure won't work:
1. Educate users - we use too many services and nobody reads ToS (or the multitude of updates)
2. "Make them pay" - okay, but who are them? Are the fines meaningful? Do fines help the user or just the government?
6/n
I'm legitimately interested in how to solve this problem. I'm sure there's a way, but I unfortunately suspect it will involve more government regulation. Please reply with your thoughts. I'll be using some replies in an upcoming blog post. Note if you don't want to be quoted. 7/7
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jake Williams
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @MalwareJake see all

Profile picture
Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except China hacking Tibet.

The IPS were strung by the egress with care,
In hopes that St WannaCry soon would be stopped there.
1/n
The children were nestled all snug in their beds,
While IoT devices mined the dreams from their heads.

Mama with her EDR and I with my IDS
Were ready to tackle an infosec mess.

Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter 2/
This thing had better work, it cost so much cash.
But gosh darnit, I can’t use it until I update Adobe Flash…

Pondering the alarms I thought “Oh heck no!”
That’s because the threshold for alerting was configured so low.
3/n
Read 14 tweets
Profile picture
I certainly don't agree with everything in this thread, but it is very thought provoking nonetheless. I tell clients regularly that cyber security IS warfare if APT is in your threat model. We often fight nation state hackers with nearly infinite resources by deploying a CEH. 1/n
This obviously doesn't work. When you step back and look at resources that APT groups have, it's obvious they can comrpomise almost any organization. My favorite example is the China/Bit9 example. Picture being an attacker who can't get into a top tier target. 2/n
Now imagine that you think "Bit 9 is standing in our way, so we'll 'just' go comrpomise them." Um, that's a moonshot. Ask yourself:
1. What kind of organization dedicates resources to moonshots?
2. How many moonshots do we not know about?
3. How valuable was that target?
3/n
Read 7 tweets
Profile picture
Equifax moved the IT security team out from under IT due to "fundamental disagreements." This is highlighted as a shortcoming in the report, but infosec shouldn't be under IT. Imagine if your internal audit group were subordinate to the group it was auditing. 1/n
The report goes on to discuss moving infosec back under IT. Again, in the vast majority of cases this is the wrong answer. If we are all holding hands around the campfire, then maybe this works. In the real world, it only works when the right personalities are in place. 2/n
This is why we need subject matter experts writing these reports. During the testimony, Committee members became fixated on the fact that IT and infosec were in different orgs. They then drew inferences from the fact that IT referred to infosec for answers (and vice versa) 3/n
Read 8 tweets

Related threads

Profile picture
Hey @alexisohanian, you *likely* won't remember this, but we met at a Super Bowl party in Harlem in 2011. Random? YES. I asked for your help wiping spilled beer off my back. You obliged, and we chatted for a minute. I was a flight attendant then, but now I'm in tech. 1/10
Meeting you,@alexisohanian, and @hueypriest at that party was one part of the catalyst that got me into the tech industry. I met REAL people who built an awesome thing that people LOVED. You brought tech into a reality for me in a way that my non-famous nerd friends did not. 2/10
I quit being a flight attendant to attend a full-stack bootcamp a few years after that Super Bowl party, and am now doing what I love as a woman in #tech. @alexisohanian, you helped inspire me, and I am hoping you're willing to inspire more #womenintech 3/10
Read 10 tweets
Profile picture
I've had my 2nd coffee and it's time for another #infosec rant. This one is aimed, with love, at my white male colleagues in this biz. I love that many of us are helping our brothers and sisters build their careers in infosec. But PLEASE be careful with the advice you give out.
Before we white dudes give career advice to others, we have to consider that the tech industry (including #infosec) still has HUGE double standards when it comes to race and gender. Thus, what worked for ME might actually be harmful advice for a woman or for a black man.
One obvious example is: "You don't need a college degree." I'm a college dropout myself - I did 2 yrs of a CS degree before deciding that school wasn't for me. By the time my class graduated, I'd already co-founded @rapid7. Great!
Read 9 tweets
Profile picture
New blog post summarizing recent work by grad student Pengfei Li. tritonstation.wordpress.com/2018/06/14/rar…
The scientific version of the paper is in press at A&A; you can get the preprint at arxiv.org/abs/1803.00022
A single effective force law suffices to describe the data for nearly 200 rotating galaxies. Good fits are obtained for ~90% of galaxies with reasonable M*/L. No muss, no fuss, and no need for the extraneous parameters we usually invoke in dark halo fits.
Read 4 tweets
Profile picture
New blog post: How to constructively review a research paper
freedom-to-tinker.com/2018/05/15/how…
Let's start by acknowledging that three key review criteria — correctness/validity, impact/significance, and novelty/originality — differ greatly in terms of reviewers’ ability to judge them.
Unfortunately, "novelty" in peer review is often used as a euphemism for cleverness. If this tendency is left unchecked, publishing is at risk of devolving into a contest where academics impress each other.
Some suggestions for reviewers on how to constructively talk about correctness, impact, and novelty in a review. freedom-to-tinker.com/2018/05/15/how…
Read 4 tweets
Profile picture
#New PA cong. map increases D chance of winning the House majority by 4%. They only need a 6.8% generic ballot margin now (down from 7.7) to be favored.

Diff. will be closer to 10% in Nov when uncertainty from polls is ⬇️. Redraw is a very big deal.

One major reason the new PA map is such a big gain for Democrats is that it solidifies, not just tips, PA districts in Philly burbs. Also creates one additional vulnerable R district. (Easily seen in this map made by @JMilesColeman)
My forecasting model will have new PA map in the near future. This is not just a simple switch; it’s a coding redesign, restructuring of input, & drawing new geographic files. Takes a while (for me, a student).

In the meantime, just add 3-4% to the model: bit.ly/2018_house
Read 4 tweets
Profile picture
Since ancient times, members of the #infosec tribe have adhered to a set of rigid Rules of Branded Vulnerabilities across the cybersphere.
These rules apply equally regardless of actual merit, impact, or practicality of the vulnerability in question. They are:
1) After a vulnerability is discovered and confirmed, the first cause of action is to register a domain name.
Read 18 tweets

Trending hashtags

#USS #tech #VPN #SFBlockchainWeek #womenintech #donttouchme #TomoChain #0xTracker #Ethereum #eddiestruble #Twitter #Vostok #BaaS #blockchain #EIP1337 #dApps #CancerSeason #NEW #Galway #Devcon4 #NotAllMen #SoundMoney #MetaMask #LiskMobile #IPFS

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!