I've been genuinely surprised how many people in infosec think [Twitter|Amazon|Apple|Google] should in some way be prevented from blocking Trump/Parler.
I strongly disagree & this is a hill I will die on.
I got a lot of DMs about this last night so I think a thread is needed.
First - part of the problem is that the public is being tricked into thinking there is something special about either which gives them an intrinsic right to have $things. I reject that idea. I kind of accept Trump got a pass as POTUS but even that is a sketchy argument.
If we start with the idea that "Tech Giants" should be prevented from denying service to people who violate the Terms of Service, we need to ask who will enforce that? The only option is the government. Think about that.
It is literally calling for the government to have the ability to say what is and what isn't allowed on public discussion channels.
That is fascism, censorship, chilling effects etc. That's the thing you are all saying Twitter (etc) are guilty of.
It really is.
The next problem is the idea that Parler(etc) have the right to a platform simply because they've convinced you that it is down to equality.
It isn't. We don't want racists in society, so we shouldn't be saying they have the right to a platform to spread their evil cancer.
But they don't. No company should be forced to allow it. We would *never* consider this if it was a paedo chat app, so the reality is if you are considering it, you think racists should have some right to voice their views.
I 100% reject this.
The argument that this "silences" people is also clearly incorrect. It does change their audience but that is the inevitable consequence of their choices. Actions have consequences and they need to accept that.
But they aren't silenced.
Not being able to tweet doesn't prevent them using countless other mediums. If the POTUS calls a presser, it will be covered by the entire world's media. And put on Twitter. 49 out of 50 people in the world don't even use Twitter. Pressers are *more* important but we seem to
have overlooked the current POTUS's absolute farce here - rather than call him to account over turning off the legitimate way to communicate, we cry he can't tweet crap at random. No one has been "silenced" here.
There is a side argument which doesn't make sense - its that banning will amplify their voice. That's a direct counter-argument to the silencing but I've seen both made by the same person several times.
The reality is we shouldn't care. It strangles their access to new recruits
and we know it is effective for lots of other hate-groups (terrorists, paedos and all the other horsemen of the cyber-apocalypse).
If banning them makes them more effective, we should encourage terrorist groups etc. We don't. We shouldn't. Banning theme works for us, not them.
What intrigues me about security people making this argument is that, in Infosec, we are constantly asking hosting providers to take down content we don't want them to carry. Often this relies entirely on it being a TOS violation. Do we really want that to stop? Of course not.
Side Thread on Silencing:
Hack the Box (HTB) is an online CTF platform. I learned recently that some companies use HTB rank to drive hiring/pay/promotion. So although it isn't the purpose of the platform, being banned from HTB can have serious career repercussions.
However, HTB also has a policy about what you can/can't do in the forums. If you post a write up for an active box (and it gets discovered), you can be banned from the platform.
I haven't seen many people arguing that this is fascist or a violation of Free Speech.
It is literally a policy implemented by a platform which you agree to be bound by if you use the platform.
If you don't want to follow the rules, use something else. If you have to use the platform for your career, you *also* have to follow the rules. You can't pick and choose.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Is there a skill shortage in infosec? Are we failing to bring new people in?
It may sound contradictory but I think the answers are "no" and "yes" in that order.
To be clear, in the last 10 years I've been in the private sector, I haven't seen a shortage. But....(1 of many ofc)
But before I continue, a quick side note. This thread was inspired by a tweet from @bettersafetynet who is genuinely one of the most awesome people I've met. His tweet about this was nuanced, which is why I've felt the need to have a massive thread in reply. Follow him right now.
(back to the thread)
But, the real problem is massively broken expectations, misunderstanding, gatekeeping, corporate ignorance and most importantly monumental misspending in the realm of cybers.
There isn't even a shortage of money, it just goes on tools rather than people.
I've been thinking - what actual value do companies see from having a skilled, knowledgeable, capable infosec team? I am a bit worried, that on reflection, the answer seems to be "not a lot."
Dont agree - read on and I will try to explain.
First - backstory. About 5 years ago I was engaged with a company who had a genuinely top-notch [IT|info|Cyber] security department. For an org of ~7000 end users, they had ~20 security professionals who covered a range of disciplines, all motivated, experienced and hardworking
Over the next five years, a combination of frankly INSANE management decisions obliterated this great team. It wasn't a security management issue, it was an organisational fit of madness where most Director-level staff didn't stay long enough to have a forced password change.
Bit of a thread here:
About a year ago I gave an @ Night talk which was attended by about 70 people and it went really well (IMHO). Over 50 people filled in feedback forms and all were 4s & 5s. This was really good because I was planning to use the talk again, several times.
After the talk, I got lots of very positive feedback from lots of people. It was a wonderful ego boost and I was pleased I'd managed to portray the work my team and I had carried out on a big incident.
Bit of an interesting tale about someone who I understand is about to be "let go" after a fairly short time as a CISO. First off, this is not a defence of the person, most people disliked them. It is more a comment on the culture and its problems. (1/?)
First off - the person didn't have the strongest security background and they did rub the security team up the wrong way (including some odd decisions). However, they were brought in to the organisation as an EXPERT over and above any internal candidates (2/?)
They were brought in because the organisation identified that it had problems across many departments and it needed a (new role) CISO to fix this. The person was engaged with a view to a "root and branches" overhaul with no baggage from previous management. (3/?)