Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Robᵉʳᵗ Graham 𝕏 Profile picture
@ErrataRob
Aug 28, 2020 30 tweets 5 min read Read on X
Okay, I'll bite.

1/ The Internet is secure enough. Sure, in some cases we can improve networks with more security, but in many cases, more security makes things worse, not better.
2/ Infosec professionals arguing for more security are a lot like those who argue for police states or military industrial complex. We try to argue from a position of moral authority, that security is a moral imperative rather than a marginal benefit that exceeds marginal costs.
3/ Burnout comes from failure at internal corporate politics -- such as failure to convince people that more security is necessary. It's not seen this way. Nobody describes "my corporate political battle" but "I'm right -- which they'd see if not for their corporate politics".
4/ Your management claims "security is our #1 priority" but they lie. Management wants NOT to excel at security, but be at most slightly above average among their peers. Your fight to excel at cybersecurity within your organization therefore can't win:
blog.erratasec.com/2020/07/how-ce…
5/ You can win at corporate politics if you stop thinking of your co-workers/management as people who can be reasoned with, and start thinking of them as targets of social engineering. The best social engineering trick is sincerely listening to what they have to say.
6/ "Technical debt" would be a useful metaphor -- except that people don't understand finance or debt, but instead share common misconceptions and prejudices against debt. It's thus a political term for internal corporate politics rather than a useful metaphor.
7/ Whether "victim blaming" is good/bad depends upon your political affiliation with the victim. Richard Clarke's "corporations deserve to be hacked if they spend less on security than coffee" is a clear example of victim blaming that our community doesn't condemn.
8/ If "defense in depth" always requires more spending, then simply say that the principle is "more spending means more security". The term is really trying to hide that people's actual agenda is to increase budgets, increase spending, and build empires.
9/ Technical certifications like the CISSP are created by people who themselves aren't terribly qualified, who themselves do not understand the technology. It's like tests for doctors created by somebody with an associates degree in hospital management rather than medical degree.
9a/ There is much discussion about a "skills shortage" in infosec. Well, yes, when those without skill are in charge of certifying skills, what do you expect would happen?
10/ A CISSP is useful for getting a job that requires a CISSP -- which is to say, getting hired by management who themselves have little clue, and who will not be able to provide much personal growth or mentoring.
11/ Security is a product, not a process. Know your limitations. If your org has non-technical management, requires CISSPs, and is riven by out-of-control political fights, then it's not going to be able to manage people to create robust processes. It must rely upon products.
11b/ Saying "security is a process, not a product" is like saying that everybody should be above the median (or above average). It's saying that to excel at security that you need the sort of organization that already excels.
12/ There are only a few areas where I'd advise management to do better than their peers. The most important is dealing with lateral movement of ransomware using Windows networking.
12b/ You think you've got ransomware under control because it keeps hitting desktops and you keep cleaning it. You don't realize you are dodging bullets, that if it hits a DOMAIN ADMIN desktop, then every desktop/server in the org gets hit and everything goes down.
12c/ In The Matrix, even Neo eventually couldn't dodge them all and got hit by a bullet. The trick is to reach the point where you don't have to. Solve lateral movement. Image
13/ The infosec industry plays politics but doesn't pay attention. NSA 0days like ETERNALBLUE wasn't responsible for notPetya's devastation, as the politics argue. The devastation was caused by lateral movement via Windows networking.
14/ In the four years since the Mirai worm/botnet/ddos, over 10 billion IoT devices have been attached to the Internet, yet the potential exposure of Mirai-style vulnerabilities has actually gone down (according to my scans of the Internet).
15/ After Mirai, in government circles, saying "worm" meant "IoT worm", saying "botnet" meant "IoT botnet", saying "DDoS" meant "DDoS from IoT devices".

But since Mirai, worms, botnets, and DDoS have been almost solely a Windows problem.
15b/ It's hard reasoning with people when you think you are talking about the same thing, such as "botnets", until you come to the realization you are talking about removing admin privileges from Windows and they are talking about IoT regulation.
16/ Be wary of cybersecurity "experts" who stress:
* choose strong passwords
* keep up to date on patches
* don't use public wifi
* don't click on suspicious links/attachments
16b/ These statements are subtly deficient. I think it's an IQ test where people can't see what's wrong with statements like "be suspicious of suspicious looking emails" and "don't trust untrustworthy links".
16c/ By far the most important general consumer advice is "don't reuse passwords on important sites". Your email password should only be used for email. Some additional advice:
blog.erratasec.com/2017/11/your-h…
17/ "Cybersecurity" is a fine word.
18/ Learn more programming, SQL databasing, syadmining, netadmining, Chrome devtooling, command-lining, and the crypto. People impress me with other job skills that I could never have, but at the same time, our industry as a whole lacks necessary technical skills.
18b/ The Snort IDS has always been deficient in TCP reassembly. Yet, it's impossible to discuss this problem because people don't really grok TCP reassembly.
18c/ To repeat, I'm not saying TCP reassembly ignorances make you bad at your job. People who are phenomenal at their job and who contribute loads to the community don't understand it. It's just that as a community, we should value more understanding such things.
19/ So IPv6.

Me: "I don't understand. Why do we need IPv6?"
Them: "Because IPv4 has 32-bit addresses, limiting it to only 4-billion devices on the Internet".
Me: "I don't understand. There are 20 billion devices on the IPv4 Internet already".
19b/ To be clear, I've failed to understand the 4-billion device limitation of IPv4 since 1992. It's fun watching people trying to explain, using ever simpler terms so that even a child can understand that 32-bits means a maximum of 4-billion.
19c/

Question: "Why IPv6?"
CISSP test answer: "Bigger addresses"
Correct answer: "Preserve end-to-end principle and reduce routing table size"

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham 𝕏

Robᵉʳᵗ Graham 𝕏 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

Robᵉʳᵗ Graham 𝕏 Profile picture
Apr 12
Uh, no, by any rational measure, only Trump has had respect for the forum.

Televised debates aren't about "debate" but charisma and media training, where they craft an answer regardless of whether they believe it.

Trump is the only candidate who gives sincere answers.
Trump is pure evil, the brutality of his answers appeals to ignorant brutes who reject all civilized norms.

But the yang to Trump's yin is a liberal elite like Rosen whose comfortable with the civilized norm of lying politicians who play this game of deceitful debates.
To be fair, Biden (and Obama and Bush before him) have stood up for important democratic principles, the ones that Trump flatly reject. But still, the system has gotten crusty. There's no reason to take presidential debates seriously as Rosen does.
Read 4 tweets
Robᵉʳᵗ Graham 𝕏 Profile picture
Mar 21
I've read through it.

It's the same as all Ben Cotton's analysis's, looking for things he doesn't understand and insisting these are evidence of something bad, that the only explanation is his conspiracy-theory.

I can't explain the anomalies he finds, either, but in my experience as a forensics expert, I know that just because I can't explain it doesn't mean there isn't a simple explanation.

For example, he points to log messages about mismatched versions. I know from experience that such messages are very common, I even see them in software that I write. It's the norm that when you build something from a lot of different software components, that they will not be perfectly synchronized.

That he would make such claims based solely on log messages of mismatched versions proves that he's really not competent -- or at least, very partisan willing to be misrepresent things.
In particular, I disagree with his description of these files. In the C#/.NET environments, creationg of new executables is common. In particular, these are represent web server files. It's quite plausible that as the user reconfigures the website, that these executables will be recreated.

I don't know for certain. I'd have to look at Dominion in more detail. I just know that if any new C#/.NET executables appear in the system that they are not automatically new software.Image
The certification process looks haphazard and sloppy to me, so it's easy for me to believe that uncertified machines were used in elections.

But nothing in Ben Cotton's report suggests to me that this happened. He's not looking for an explanation for the anomalies he finds, he already has an explanation, and is looking for things that the ignorant will believe is proof of that explanation.
Read 4 tweets
Robᵉʳᵗ Graham 𝕏 Profile picture
Feb 16
This is an incredibly important article and Charlotte Cowles (@charlottecowles) should be praised for writing it. Everybody should read it.


People laughing at her for getting scammed are missing the point, such as what the following picture does. thecut.com/author/charlot…
Image
No, I wouldn't have gotten scammed like her. For one thing, I believe every phone call is a scam, either a criminal one, or some vendor trying to waste my time getting me to pay for things.

But I hate to think what I might fall victim to.
The only real defense is reading articles like the one above. Forget advice about what you should/shouldn't do told to you in a vacuum, instead, read about such stories about what sorts of scams actually happen in the real world.
Read 5 tweets
Robᵉʳᵗ Graham 𝕏 Profile picture
Jul 5, 2023
🧵1/n
I'm trolled by this thread. So here's my response.

But before that, I want to point out that it's by questions that we come to understand the world. There are no stupid questions. Well, there are, but it's by asking them that we get smarter.

Also, there is a lot of disagreement among economists and bankers about the cause of post-pandemic inflation and what best to do about it.

There is also a lot of disagreement among the podcaster/pundit classes. Most answers to this question come from people regurgitating their favorite podcaster/pundit.
2/n The thing that trolls me is this tweet in that thread. They say "Understood", but I don't understand, because they mention two largely unrelated concepts: short-term inflation and long-term inflation.

It's been know since Roman times that creating money causes long-term inflation. They didn't have the sophisticated understanding we have now, but they did notice that when they debased their coins (reducing gold content, putting more coins in circulation) that the value of the coin went down and consequently, the number of coins need to pay for the same good increased.

Short-term inflation can be caused by a number of things, such as the business cycle overheating, or economic shocks, both of which we've seen post-pandemic.

Such short-term inflation is then followed by short-term deflation, as it needs to bounce back to the long-term rate. For example, in 1932 we saw 10% deflation. This is considered more damaging than inflation, because it causes people to hoard cash under their mattresses, because they know that a year later, it'll be worth 10% more. In other words, deflation causes what's essentially a Ponzi scheme.

Since then, we've largely "tamed" the business cycle. Raising interest rates at the peak prevents short-term inflation, lowering interest rates after the recession prevents short-term deflation. But raising interest rates can trigger recessions, so people

So this tweet below seems to confuse two different concepts, raising interest rates to lower short-term inflation, and the cause of long-term inflation (printing money). By "Understood" I think they mean they've heard of such things, not that they understand such things.
3/n This tweet continues the confusion. The central-bank doesn't raise interest rates to combat long-term inflation (increases in money supply), primarily short-term inflation (overheating, shocks).

With that said, the money supply has increased. The major economies printed money during the pandemic to avoid a collapse of the economy, and that's going to result in long-term inflation.

This is seen in the two graphs below for the UK and the US.

The rough consensus among economists is that three things contribute to the current inflation: this increase in money supply, economic shocks caused by the pandemic, and the post-pandemic pent-up-demand overheating the economy. I say "rough" because I haven't found any good papers proving this. I suspect they don't really know and are just guessing.

Raising interest rates should deal with the two short-term contributors to inflation.

The point is: the person confuses long-term inflation (where historically, interest rate manipulation isn't used to deal with it) and short-term inflation (handled by interest-rate hikes).



Image
Image
Read 8 tweets
Robᵉʳᵗ Graham 𝕏 Profile picture
Jun 18, 2023
You can't live debate crazy, they will always win.

Live debate is just performance art. Somebody will make some new claim nobody has heard of before, and it'll be impossible to refute without having the time to go research what they just said. "Samuelsson's study from late 2021… twitter.com/i/web/status/1… Image
For example, to prove my point, I opened the podcast (open.spotify.com/episode/3DQfcT…) and skipped forward to a random location, around 37 minutes into the thing (I can't bear to watch all 3 hours and debunk point by point).

At this point, he's talking about a "Lazarus Report" that said… twitter.com/i/web/status/1…
I forget to mention the subtext. The Vice article in question also contains written debunking of some of RFK's claims, and links to other written debunking of other claims.

The premise here is that RFK/Rogan are refusing a written response, and are demanding instead a live… twitter.com/i/web/status/1…
Read 4 tweets
Robᵉʳᵗ Graham 𝕏 Profile picture
Jun 17, 2023
John Cusack (just a movie star) advocates for censorship of the press while simultaneously being on the board of the "Freedom of the Press Foundation".

FYI: we all have the right to foment coups based on provable lies, that's what the "free speech" and the "First Amendment" say. Image
Fair. It's not polite calling people "just a movie star", implying that they are lightweights, that their political opinions have only the same sophistication as the average movie star. Image
Your "principles" are the things you defend even when doing so helps your opponents. If you only defend them when it helps your side, then the thing you are defending is your "side", not your "principles".

If you only defend "freedom of the press" when it's left-wing activists… twitter.com/i/web/status/1…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(