Share this page!

Lesley Carhart Profile picture
Twitter logo
24 Dec, 6 tweets, 1 min read
Merry Christmas to everyone except GoDaddy infosec leadership specifically.
I hope your food turns out awful and your kids hate all their presents. I also hope people remember this when you apply for jobs in the future. This is one of the cruelest and most counterproductive moves I have ever heard of inside our industry. I am stunned.
It’s not “touchy feely” of me to point out this was bad. Not only is it stunningly unethical, the overall result on GoDaddy security will be objectively negative as it spoils the fragile relationship between infosec and staff for future IR, reporting, and policy adherence.
If you think about phishing tests or any red team assessments in a vacuum and not as a part of holistic security posture of the organization in terms of detection and incident response, you’re not seeing the big picture of security. Absolutely any of you can be phished.
We need ethics and business courses to be required in every cybersecurity degree program.
I’m the one who has to go into these orgs during incident response and try to piece things back together in time to contain an adversary and restore operations when employees won’t talk to their security team anymore and evade all their controls.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lesley Carhart

Lesley Carhart Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hacks4pancakes

Lesley Carhart Profile picture
22 Dec
Auntie Lesley's subtweety social interaction tips #35:

When you comment on someone's photo and offer unsolicited criticism on 1) Technique 2) OSINT 3) Tool choice, and the poster replies. "I didn't ask for your opinion" or "Yes, I know",

That is the time to stop. Right there.
I know it is something you (at least think you) know a lot about,
I know you are passionate about it,
I know you are trying to help them / their followers,
I know you are sharing knowledge

That is not the venue. It is how you lose friends, community respect, and get blocked.
You can always go write your own tweet thread or blog, or post a video to educate people on the subject! That is perfectly fine! Go forth and share knowledge! Your viewpoint is valuable. Your criticism was not solicited.
Read 4 tweets
Lesley Carhart Profile picture
13 Dec
In my life as a security professional, I have had exactly three IT friends / colleagues come up to me bragging about the secret digital surveillance they constructed to monitor their kids.

Every single one of them ultimately destroyed and lost their relationship with their kid.
It took so long to happen that despite my extreme discomfort with surreptitious monitoring and privacy invasions I chose to not question a parent as a non-parent. But over the course of a decade, every one of those kids either wrecked their life, or left home and never came back.
They always had this elaborate-sounding, techy panopticon. Some mix of cell location monitoring, fake social media accounts, web usage monitoring. I’ll never know how much the kids ever found out about in the end. The end result, however, was always the same.
Read 6 tweets
Lesley Carhart Profile picture
12 Dec
I don’t know if this will help anyone in their first place, but I was just setting a family member up with Comcast (only choice) - remember that:
1) you get gouged if you don’t buy your own cable modem
2) you should be calling to (politely) negotiate a new contract annually
I don’t know, here are some other Auntie Lesley tips everyone assumes you already know:
1) adding people onto a family cellular plan is absurdly cheaper in the US than a new account
2) there are small mobile service discounts for everything under the sun from employers to AAA
3) Comcast business costs about the same as XFinity internet in many metro areas and has SLAs in exchange for slightly slower speeds so don’t just rule it out if you’re a cable cutter.
Read 4 tweets
Lesley Carhart Profile picture
11 Dec
If I accomplish one thing in 2020 it will be to convince every infosec traveler without a pet because of travel to get an adorable and cuddly hamster. Welcome to hamster facts!
1) There are multiple types of hamsters. While dwarf hamsters can be more social, Syrian hamsters like Cassie are introverts prefer to only be friends with you, when they feel like it.
2) hamsters are very tidy desert animals, unlike rats and mice. In fast, most hamsters can be litter box trained in a day or two by simply putting a hamster sandbox in the corner they choose as a bathroom. They will also take adorable sand baths when the sand is clean.
Read 13 tweets
Lesley Carhart Profile picture
10 Dec
I don’t know who needs to hear this but a key part of finding a mentor is having a good pitch you can deliver about what you’re specifically trying to accomplish and where you want to go.
I don’t reality know how to answer, “Lesley will you be my mentor?”

I have limited bandwidth. What are you expecting from this relationship? Are you even trying to get into my field or area of expertise specifically? Is there someone else who would be better suited to help?
“Lesley, I’ve been studying ICS security and I am thinking about maybe doing so research on xyz but I need to flesh it out?” - I can work with that that, and I understand what you need. We can build a rapport.
Read 5 tweets
Lesley Carhart Profile picture
9 Dec
Any company that claims to have never suffered a successful intrusion either forges swords at the Renaissance faire with no digital devices, or has a SOC that’s missing stuff.

Or they’re outright full of crap.
I can’t believe I have to say this but the fact that everyone will eventually be hacked, at the same time, does not mitigate responsibility for reducing attack surface, building defense in depth, and performing good incident response. These aren’t mutually exclusive things.
Every intrusion is not the same. Every adversary is not the same.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @hacks4pancakes has new unrolls!

Check out other threads from @hacks4pancakes!

Read all threads by @hacks4pancakes