,
9 tweets,
2 min read
Read on Twitter
Infosec, we have failed our users. By and large, we don't have answers. We only tell people that they're doing something wrong, and our solutions tend to neglect or ignore users' desires, usability and functional requirements. Select examples:
Problem: Malware might assume broad privileges, exfiltrate data to shady IPs.
Infosec: Here, install this 3rd-party blob on all systems & run it as root; requires an unsigned kernel module, posts data to some AWS IP. We use it to detect if any other processes do the same thing.
Infosec: Here, install this 3rd-party blob on all systems & run it as root; requires an unsigned kernel module, posts data to some AWS IP. We use it to detect if any other processes do the same thing.
Problem: Writing secure code is near impossible.
Infosec: Well, uhm, NEVER do _that_. Or _that_. And not like _that_. But don't look at our code, cause that has all the same problems for some reason.
Infosec: Well, uhm, NEVER do _that_. Or _that_. And not like _that_. But don't look at our code, cause that has all the same problems for some reason.
Problem: Passwords.
Infosec: Rotate frequently, NEVER write them down. Except nowadays you SHOULD write them down in a Very Special program & no rotate & most importantly whoops I got side-tracked arguing about entropy and theoretical cracking speeds while making hunter2 jokes.
Infosec: Rotate frequently, NEVER write them down. Except nowadays you SHOULD write them down in a Very Special program & no rotate & most importantly whoops I got side-tracked arguing about entropy and theoretical cracking speeds while making hunter2 jokes.
Problem: Plugging a USB stick in to see what might be on it can get your laptop pwned.
Infosec: Easy. Only ever plug USB sticks into an airgapped system inside a high-security vault that is subsequently wiped and reinstalled from a cryptographically signed and known safe image.
Infosec: Easy. Only ever plug USB sticks into an airgapped system inside a high-security vault that is subsequently wiped and reinstalled from a cryptographically signed and known safe image.
Problem: Plugging your phone into a public USB port can get your phone pwned.
Infosec: Lol, idiot. Just take a regular USB cable, cut it in half, strip the shielding, twist and cut some of the wires in the right order, solder them, tape them up, and you're good to go.
Infosec: Lol, idiot. Just take a regular USB cable, cut it in half, strip the shielding, twist and cut some of the wires in the right order, solder them, tape them up, and you're good to go.
Problem: Phishing emails may trick you into submitting your passwords to an illegitimate site.
Infosec: We'll phish-shame you until you include "This is not a phishing email." in all your emails.
Infosec: We'll phish-shame you until you include "This is not a phishing email." in all your emails.
Problem: Clicking on a link -- i.e., what a web browser, in which we spend literally 100% of our work day, is specifically designed to do -- can get you pwned.
Infosec: Uhm... don't click bad links. Good ones are ok, tho. No, we don't know how to tell the difference, either.
Infosec: Uhm... don't click bad links. Good ones are ok, tho. No, we don't know how to tell the difference, either.
There are hundreds more. We keep addressing the symptoms, not the disease. We need to do better. Focus on usability and purpose, make what people want to do safe instead of asking them to change what they want.
