#pilot fam: I don't know who needs to hear this but if you went into NC this weekend to fly in supplies and were not working with a specific emergency response organization, you did it wrong and should not be surprised if your efforts were met with less than enthusiasm.

1/ The supply missions you saw being flown by so many GA pilots as part of these orgs are highly coordinated. It's not just knowing what supplies are needed and what airports were safe to land at. It's about coordination with people on the ground to not only receive the

2/

SO MANY LIES. I'm really sick of seeing people make assumptions or just plain lying about the response to Hurricane Helene in the Asheville area. It's insulting to the many great people working their butts off to help folks in dire need.

A 🧵

1/15


"FEMA is rejecting outside help" - STRAIGHT LIE! I was personally part of one grassroots org, and I know of at least 10 others, who were in the area in less than 2 days coordinating aid drops all across the affected area. People from all over the country came to help.

2/15

I've been dwelling on this response from @specterops' @jasonjfrank and whether to respond further. Considering some of the factors you're about to read, you'll see why I chose to take this point by point.

It'll be a thread since I refuse to pay the #MuskRansom.

1/



Let's talk first about the supposed out reach to many diverse speakers. I mean I freaking called it that the "pipeline" excuse would be the first response in my post and you STILL came at us with that response? If you couldn't find a single non-male non-white human,

2/

I'm not sorry I didn't live up to your expectations, those were, after all, yours not mine. I never claimed to be perfect, super human, or even a good person. I try to be all those things but I know I am not. 1/ Look, I can be selfish sometimes, I can be an a$$hole, I can be cruel and mean, and I can be hurtful. I make mistakes, I say and do dumb things, I make other people cry sometimes. It's part of being human, which I am. 2/

OK I said I wasn't going to do this but I guess I am, so here goes and if I left you off, I'm sorry, please know I love you and it was just an omission. Some amazing women doing amazing things that I want to recognize on #IWD2022. A 🧵 @DeweyRitten my partner, pushing me to learn and grow, and conquer
@LilMzMuffinCup amazing woman who inspires me
@virulentvalor proving every day what force she is
@invertedgeek an honor to watch your career launch
@gabsmashh the most intelligent human I know

"Don't give him attention"

Let me explain something. Cybe_rpunkfixer (subject of the original thread) attacked @gabsmashh, Ian Coldwater, myself and numerous other women. So calling me a troll and us a "mob" is an attack on us and a defense of an epic misogynist.

1/

https://twitter.com/AlyssaM_InfoSec/status/1501236347205562369

Cybe_rpunkfixer has been banned under multiple accounts, for his harassment. Jonathan defends him as a victim. Jonathan still, inconceivably, has an audience that are unaware of how phony and toxic he is. So calling it out, I hope helps them to see that so they don't

2/

April 17, 1997 - $35,000/yr

No joke I still remember the exact details. That was the day I started my first salaried job as a programmer. I had no degree (I was enrolled in a Computer Science program at Marquette University), no real documented dev experience.

/1 All of what I knew of programming was self-taught and a little theory from my course work that I had only just begun that semester. BASIC, Visual C++, and a little bit of VB.

I got hired to write code for a home banking and billpay application. It was the dot com era.

/2

I'm angry this morning. Truly angry with myself.

I don't come from money. Growing up, we weren't poor, but near the bottom of the 80's middle class. I always dreamed of being in a better financial position than my parents, but swore I wouldn't forget where I came from.

1/ My first child (of 3) came when I was 17. Married at 21, I lived through nearly two decades of overdrawn bank accounts, maxed out credit cards, collection calls and threats of lawsuits.

Ultimately, we were fortunate. Never had a night where I couldn't scrounge

2/

Christmas more than NYE for me is the time I look back.

I remember so clearly the day I took the red pill. While I knew it'd change my life, many of the changes came in ways I'd have never imagined. So many good things happened this year for me as a result of that day.

1/ I have learned to be authentic in ways I never was before.

That authenticity has allowed me to connect with people in ways I never did before.

Those connections have enabled me to climb mountains in my career and personal life faster than ever before.

2/

I certainly believe while we have moved past the tip of the iceberg, we're nowhere done with #log4j and it's issues. EVERYONE is now looking at this package and finding new variants and even new vulns. Don't expect to sleep anytime soon my dear #infosec fam.

1/ That said, remember there are likely malicious actors out there looking for the next thing already. With log4j burnt and orgs rapidly applying mitigations and fixes, what next? Where do we find the next widely used package with significant vulnerabilities like this?

2/

Hey #infosec peeps, many of us are tired, frustrated, and exasperated by #Log4Shell.

That said, how about we not blast developers en-masse or even within OSS or even within the Log4j project. Let's remember we have culpability here as well.

1/ We did nothing with a warning that was given to us in 2016 at BlackHat. Not one detection rule or scanner policy was created.

Despite extensive OSS security research done by orgs and academia, we failed to find this vuln in probably the single most popular Java package.

2/

Thursday morning, back home after a few days of board meetings and I have some thoughts to share on being effective in board presentations. Tech and security leaders still seem to struggle in these settings so here goes:

As always, it's a 🧵

1/ 1. Research your board members. Find out in advance who you'll be presenting to and look up their background. Talk to your peers who've chatted with the board before, see what intel you can get from them on the dynamics of those discussions. Prep accordingly.

2/

The number of potentially qualified people that I see self-eliminating from open #infosecjobs saddens me. The thing is when you're looking at job descriptions, there are two ways you can look at them.

In typical Alyssa fashion, a 🧵 follows:

1/ Some people will read through the requirements from an implicit mindset of identifying the reasons not to apply. They look for any requirements that suggest they're not qualified and when they find too many of them (for some that means even one), they choose not to apply.

2/

FORTY SEVEN

Forty-seven trans people have been violently killed so far in 2021. While this number represents an increasing trend, let's talk about what that number doesn't tell us.

#TDOR #tdor2021

1/ * These are violent crimes, meaning someone else took their lives. This number does not reflect those that took their own lives as a result of unmanageable pressures of discrimination, abandonment, homelessness, forced conversion therapy, etc.

2/

Let's talk job offer negotiation, a 🧵.

If you've heard my talks on this, you know I'm a huge advocate for knowing your worth, getting paid, and asking for what you need.

Recruiters and hiring managers expect it, they're not going to rescind an offer if you ask for more 💰

1/ However, you also have to know what can and cannot be negotiated and remember it's a negotiation not a demand letter.

Salary, bonus, time-off, flexible work/wfh, signing bonuses, title

These are things that can typically be negotiated to varying degrees.

2/

Hey #infosec n00bs!!

One of the worst habits we have in security is speaking in absolutes. Saying things like "Unhackable", "Breachproof", "Fully Secure", "No Risk". They're simply untrue.

But this also includes when we talk about skillsets. There are no absolutes.

1/ So when someone says, "You must know x, y, z" or "You have to do a, b, c" to get a certain job (or any job) in security, you can simply toss out those absolutes in with all the other fallacious absolutisms that security people throw around. Simply ignore them.

2/

As more job descriptions are including pay range, you as a job seeker need to understand how those ranges actually work.

You might look at a range of $110K-155K and say, well I'll take $155K thanks! However, that might not always be the right approach.

1/ Unfortunately, most orgs only train managers (and sometimes not even them) on how these ranges work. Typically, there is a high, low, and midpoint.

The high-level goal is to bring people who are below the mid-point for a role, up to that mid-point.

2/

A 🧵 about tech interviews:

The technical interview is one of the most contentious aspects of the recruiting process IMHO. Hiring managers and orgs don't always handle it well and candidates get beat up with anxiety from the process. So how do we make it better?

1/ When I interviewed for my role at @Snyksec, I thought I bombed my tech interview. Benji asked me a couple questions about concepts I had never heard of before.

I admitted I didn't know the answer, but then shared a bit of logical deduction based on the terms as to what

2/

So I really want @ECCouncil to understand the damage they've done (a thread):

1. People who proudly achieved certifications are now disavowing and not renewing those certifications because of the shady practices of the org that provided those certs. All that hard work, lost. 2. People who won awards from your org are now renouncing those awards because they don't want to be associated with the practices of a company like @ECCouncil. These were accomplishments they should be able to be proud of that you've ruined.

So I want to make clear just how trivial it was to find repeated cases of plagiarism in the EC-Council blogs. All it took was going to recent blogs, finding a few key terms in the content and then Googling for those terms. Literally that's it. #ECCPlagiarism

1/ With less than 30 minutes of work, I was able to easily locate the original works that were leveraged to craft two of their blogs. That time included verifying the content matched, taking screen shots, confirming the blog was cached at archive.org and posting

2/

OK my last tweet (ok a thread) on the whole EC-Council fiasco for the night. They've shut down their blog and someone already congratulated me.

Let me be clear, I am not happy and I am not celebrating. This is not a win. There are only losers here. EC-Council loses for

1/ the obvious reasons.

However, our community loses as well. This whole thing sows distrust between practitioners and all of the educational and certification orgs we place our trust in.

Content creators lose as we realize we have to take exceptional measures to protect

2/