Lea Kissner Profile picture
Feb 1, 2022 22 tweets 6 min read Read on X
Dr. Gus Andrews is up next at #enigma2022

It's all just information. They have different teams.
People try fact checking and AI/ML. A lot

But assumes facts and trust are at the center
How to get people on "team science"?

Concept of fact comes from 17th century
Fact is appeal to evidence
Team science may not win
Well, how did journalism turn their reputation around?
You don't trust the evidence, you trust the facts, the appeal + evidence.

Team misinformation trusts different experts
Trust is contextual
Trust in medicine shaken by multiple things, including doctors saying opioids were safe
Not even to mention Tuskegee experiments or eugenics
Team loyalties go back generations
Ways Team Q tries to appeal to evidence
Not about the texts, about how you read them. Can't fix everything with AI
Misinformation is a social problem.
Team social media running into team journalism
Invest in local institutions for fact checking, more likely to be trusted
Maybe have editors?

Learn from previous projects
Expose your algorithms to more perspectives
Support your local public schools

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lea Kissner

Lea Kissner Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @LeaKissner

Dec 6, 2022
A rant on tokenization:
Tokenization is replacing particular data with an opaque set of bits, called a “token”.
The token either is encrypted or a mapping stored in a table. Tokens are usually a fixed # of bits (usually 64) for simplicity.

They are also surprisingly dangerous...
I love tokenization for cases like credit card numbers, where a small opaque piece of data is quite sensitive and generally has reasonable usage patterns. But people try to use tokenization without security or scalability.

Don’t do this. Let me explain...
Why use tokens? (If you can make them secure and scalable enough)
* Because you don’t need to worry so much about every single system which touches tokens instead of sensitive data. That's great, because I've already got enough things to worry about.
Read 12 tweets
Nov 23, 2022
What's a good way to set the edge between a security (or privacy) engineering team and the rest of engineering?

(Was asked this question this morning and thought the way I think about the answer might be helpful to other folks.)

One simple trick: look at your on-call rotations
There are a lot of places where systems are security/privacy-critical. A *lot*. Not all of those should go in the security/privacy team.

I'm Captain Pragmatic, teams should sit where they're productive and happy, but this is where I'd tend to put those teams.
1. The systems where you can't build or run them without doing security/privacy deeply on an ongoing basis. Think authentication, authorization, insider threat detection systems for security. Think central data deletion infra for privacy.

Those should live in sec/priv.
Read 13 tweets
Nov 16, 2022
A buddy who's interested in end-to-end encryption (E2EE) but hasn't done one of these projects in the very messy place which is the real world happened to ask me this morning about pitfalls which might not be obvious. So here's a partial list in the hopes that it's helpful. 🧵
For context: I have a PhD in cryptography, my thesis is on privacy-preserving cryptographic protocols, and I'm publicly known to have worked on several novel E2EE systems (from Zoom and Google).

So: 1) YMMV because every system is a bit different 2) this is not my first rodeo
1. People lose their keys. Most obvious, always important. Their phones break, they're lost, etc. and all the keys which were on them go away. Also people forget passwords.

People get grumpy when they lose their data. If you can design your product so they're not, it's easier.
Read 14 tweets
Nov 15, 2022
I want to be right, so I keep looking for how I could be wrong.

I ask my coworkers what worries them, how I'm wrong, what I'm missing. I repeat and repeat that I want the bad news, because I can't help fix problems I don't know exist.
Everyone has their own style, but this really helps me solve problems, fix things, and keep them fixed.

Plus I get fewer surprises. Security and privacy people hate surprises.
I've been getting questions in here so I'm going to start answering 'em in this thread in the hope that the answers are helpful to other people, too. And if you have a different answer, go ahead and post it! Different things work in different situations.

Except being a jerk.
Read 7 tweets
Aug 18, 2022
Hey folks! If you don’t know me, I’m the CISO of @Twitter – I run the information security, privacy engineering, and IT teams.

We’ve got a bunch of roles open across infosec, privacy eng + legal, and IT. Come help Twitter build great things which respect our users! 🧵
I’d love to have the chance to work with you. We have roles from relatively junior up to Director. Links in this thread; there are likely some more coming.

Managers are tagged in this thread, so you can ask any of us questions or say hi. They're good folks.
All of these jobs are remote-friendly, with a few caveats: (1) your working day needs to overlap heavily with the folks you’re working with (for most roles Americas time zones) (2) we need to be able to legally hire you where you want to work.
Read 23 tweets
Feb 15, 2022
I mentioned the Bad News Hat at #enigma2022 and promised to tell the story when I had a few minutes.

This is the hat I pull out when I have to tell people something they won't like. I do it because earlier in my career a group of people literally cringed when they saw me. 🧵 A dusty black hat with a spray of colorful feathers stuck in
Back in the day, I worked with a particular team who had what I called "incident season" which came right after... well, as far as I could tell, "bad decision season". They weren't all bad, but under pressure to launch this team launched some things which weren't solid. /2
I had to walk over and tell that team they had an incident which they needed to drop everything and fix so many times that they started literally flinching when they saw me, even if I wasn't coming to tell them anything bad!

This isn't great for a working relationship. /3
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(