One man's EDR is another's man's surveillance apparatus 
๐
๐
Hacking = power. #Infosec pros have:
โ Proximity/adjacency to law enforcement
โ Oft-unfettered access to data
โ Lack of industry regulatory oversight/licensing, few limits, gray areas
โ Zero or near-zero discussions about the ethics of data collection or the work of infosec
โ Proximity/adjacency to law enforcement
โ Oft-unfettered access to data
โ Lack of industry regulatory oversight/licensing, few limits, gray areas
โ Zero or near-zero discussions about the ethics of data collection or the work of infosec
We seem to have no idea how we sound to regular folks if we talked about this stuff in ways that would allow them to make analogies about our work. It's all jargon, and never has to be explained.
I have been shocked by the disconnect we have as infosec pros to regular people.
I have been shocked by the disconnect we have as infosec pros to regular people.
I stepped outside corporate infosec bubble to work at an activist nonprofit which fights government use of mass surveillance, and a devastatingly large amount of the research we've done in various spaces has horrified me.
It has become very clear that the disconnect is so profound, that we as tech workers, especially those who are at massive companies, are unaware of our how work directly impacts human beings, and what part we play in aiding & abetting suffering. Infosec is no exception.
It's very easy for an infosec person to, say, slam the TSA for 'security theater' which leads to little measurable improvement in security in exchange for our right to be free from unreasonable search & seizure.
Yet those same people in the same breath,
Yet those same people in the same breath,
...would ardently defend their own work which produces much the same result.
Infosec likely has much worse outcome metrics than the TSA yet breaches continue, seemingly unabated.
Infosec likely has much worse outcome metrics than the TSA yet breaches continue, seemingly unabated.
Is there justification for the massive data collection apparatus in existence at every Fortune 1000 if we ultimately fail to operationalize the data, fail to attribute the harms, fail to stop further intrusions, and just overall fail?
When the TSA forces our bodies through invasive search techniques for the stated purpose of security, we are rightfully offended at this very visible intrusion to our bodies, and call it a violation of our civil liberties.
Yet we do not apply the same standard to ourselves. Why?
Yet we do not apply the same standard to ourselves. Why?
The stakes currently aren't as high as a plane crashing out of the sky**, so it'd be great if we could both increase recognition of our roles as powerful actors and strongly couple that with a culture of responsible use of that power.
**๐ช๐ฏ ๐ฎ๐ฐ๐ด๐ต ๐ฑ๐ญ๐ข๐ค๐ฆ๐ด, ๐ง๐ฐ๐ณ ๐ฏ๐ฐ๐ธ
**๐ช๐ฏ ๐ฎ๐ฐ๐ด๐ต ๐ฑ๐ญ๐ข๐ค๐ฆ๐ด, ๐ง๐ฐ๐ณ ๐ฏ๐ฐ๐ธ
BTW this isn't commentary on the pros who posted these comments. This is literally the standard culture of the industry & all of what was said in that thread is reflective of everyday life. We have access, we like it, we use it to defeat bad guys, and we are firmly the good guys.
People believe there isn't room for discussion on these things because we're the good guys, and any harms resulting from our initial data collection has nothing to do with us! We didn't do that! Someone else did. Our intentions were pure. In this way, we remain morally distanced.
โข โข โข
Missing some Tweet in this thread? You can try to
force a refresh
ใ
