What happened: a crazy conspiracy theorist saw a perfectly normal CDC report, misunderstood it, and then that misunderstanding went viral when the President retweeted it.
I think the first thing any "debunking" or "fact checking" needs to do is address why we are all talking about it? It also needs to address the agenda, not so much the "only 6%" number, but the implication the CDC was hiding it and suddenly revealed it August 30th.
2/ Infosec professionals arguing for more security are a lot like those who argue for police states or military industrial complex. We try to argue from a position of moral authority, that security is a moral imperative rather than a marginal benefit that exceeds marginal costs.
3/ Burnout comes from failure at internal corporate politics -- such as failure to convince people that more security is necessary. It's not seen this way. Nobody describes "my corporate political battle" but "I'm right -- which they'd see if not for their corporate politics".
1/n Okay, we need to stop for a moment and consider cybersecurity from a CEO's point of view. It's easy to laugh at them, as in the following tweet, but that's not going to change things until we understand their perspective.
2/ The only thing more broken than how CEOs view cybersecurity is how cybersecurity experts view cybersecurity. We have this flawed view that cybersecurity is a moral imperative, that it's an aim by itself. We are convince that people are wrong for not taking security seriously.
3/ Rather than experts dispensing unbiased advice, we've become advocates/activists, trying to convince people that they need to do more to secure things. This activism has destroyed our credibility in the boardroom, nobody thinks we are honest.
Twitter is fiction. The latest outrage is driven by deliberate ignorance, by refusing to see it from the opposing point of view, by blocking everyone who doesn't share your outrage, by creating a filter bubble.
Trying to see things from the other point of view is just moral corruption, and maybe you secretly support this bad thing. Purity and virtuousness means ignorance, that we cleanse the net from any detail that would lessen the outrage.
By the way, the outages I'm talking about are the ones that upset everybody today but which disappear tomorrow to be replaced by the next outrage. I'm not talking about the George Floyd homicide.
Nothing is "free". If somebody is offering a free product, they are expecting to get paid somehow. Saying Zoom's encryption needs to be free is like saying VPNs need to be free. Free VPNs are harvesting your data for $$$.
Zoom's free tier is therefore intended as the first step to get people to pay. From a pure business point of view, costs vs. benefits, what does end-to-end encryption lead to? If it results in more paying customers, then add it. If it only results in more costs, remove it.
Trump has a long list of common attacks he uses in cases like this. It's hard to predict exactly which one he'll choose.
"worst chief of staff ever"
"he begged me for a job"
"I did him a favor"
"nobody liked him"
"also known as John Smelly (or some other bad name)"
The way competent politicians combat this is "Kelly was an extremely competent chief of staff, but we increasing disagreed on policy decisions, and I'm sorry it's come to this". People would believe Kelly less.
1/ So in this thread I'm going to point out what's wrong with that Tom Cotton piece. I'm going to start by agreeing with a couple of his points, bear with me, I'm going to get around to disagreeing. nytimes.com/2020/06/03/opi…
2/ To start with, is it exaggerated? Is the level of rioting and violence the same as the 1960s? My gut says the protests have been overwhelmingly peaceful with occasional violence.
3/ Well, Wikipedia lists 11k arrests vs. 15k arrests in the MLK assassination riots, and other sources point to roughly the same amount of damage (hundreds of millions of dollars). I suppose we won't know for months, like when insurance companies compile statistics.
I grew up with the "WKRP" censorship episode, showing why censorship is bad, showing the Christian right trying to suppress rock songs.
Woke people aren't claiming that censorship is good, just that their efforts to suppress speech aren't censorship. Yesterday's outrage against the NYTimes for publishing the Tom Cotton op-ed is censorship and intolerance of views opposed to their own. The woke don't see like that
Social media is defined by two things: (1) intolerance (2) the inability to pay attention to nuance and complexity
Karl Popper's "Paradox of Intolerance" doesn't mean what you think it means. Yes, if a group is trying to violently suppress speech, then no, we shouldn't tolerate that. But if they are merely expressing intolerant opinions, then we still have to tolerate their opinions.
I hate to bring up Antifa because it's a group whose importance is exaggerated by Trump, Cotton, etc., but it's them who Popper is talking about. Antifa's sole reason for existence is to violently suppress the speech of others.
I rushed to make the above tweet BEFORE Trump responds. It's a sort of test. If I'm wrong, then Trump is a greater man than I claim. If I'm right, this'll prove what I'm saying that Trump is a small, petty man.
I mean, I'm not going to wait until Trump responds and try to generate principles after the fact to criticize Trump. Instead, I'm declaring a set of principles first -- and then we'll see if Trump fits them or not.
This tweet demonstrates why people like me despise law enforcement. While many people use "free speech" and "First Amendment" interchangeably, technically the only thing the First Amendment protects against is infringement of speech by the government.
Taken literally, therefore, what the FBI would appear to be calling for is information/media depicting government agents (i.e. police) committing violence against protesters, infringing their free speech. In other words, videos like this one: nytimes.com/video/opinion/…
But what they mean is the obvious. They are looking for evidence against people looting and vandalizing during otherwise peaceful protests. This threatens peaceful protesters who happened to be nearby when such acts take place.
1/ I got through watching "Space Force" series on Netflix and I have to admit I liked it, usually for the precise reasons why many don't like it.
2/ What upsets many people is that it pokes goodnatured fun at the current President, as well the "angry young congresswoman from New York". In today's polarized climate, you have to be mean spirited commentary on one side and praise for the other.
3/ It seems written by experienced people. You don't get the easy, stupid, obvious jokes -- you get more complex, hard to understand humor, that much of the time you aren't even quite certain was intended as humor.
1/ Um, the reason many are silent on the issue is not because they secretly support the other side, or are afraid to debate the other side. It's because they are afraid of their own side, the hyperpolarized elements who will attack them for deviating from orthodoxy.
2/ Social-media has become a cesspool of toxic behavior, where your only two choices are to join in or be silent. If you take the middle ground, express original ideas, challenge the excesses of your own side, seek to understand the opposing side, you'll be ostracized and blocked
3/ It's "black lives matter" not "all lives matter". But if somebody insists on "all lives matter", I'm not going to tell them to "fuck off" as is the norm on social-media. I want to have a friendly discussion because they probably are a reasonable, caring, good human being.
They aren't really "activists". It's not that they are working tirelessly for a cause, and include hacking as one of their activities to fight for that cause. Instead, they enjoy hacking and causing trouble, and choose the cause to justify the hacks.
The recent "password dump" of Minneapolis government workers was fictional. They scraped dumps from other sites with Minneapolis email addresses and published those. Thus, you had passwords including the work "linkedin", because they actually came from the LinkedIn dump.
2/ I don't know about you, but I frequently fail at answering the CAPTCHA designed to detect if I'm human. I fail to identify all the traffic lights or buses in that picture. I really don't know what letter is a U, u, v, V, or whatever.
3/ In any case, you can go all "mechanical turk" on the problem and hire low-waged workers in foreign countries to create the accounts before you then have software programmatically post to those accounts.
1/ "Is DDoS a legitimate form of protest?"
Obviously "no", but can be more complicated.
2/ I say "obviously" even though I know people disagree. I view only the "free speech" parts to be "legitimate", whereas others consider "direct action" legitimate, such as blocking streets and causing various levels of violence.
3/ But the complicated bits are when you move from "protest" making a statement to "resistance", preventing the oppression done to you.
To continue this thread: one of the reasons targets think the attack was 'sophisticated' is because their systems failed in unexpected ways. Nobody could've predicted exactly that failure, so they assume it was because the attackers were geniuses.
Thus, let's assume a typical attack where they spend $5 with a DDoS for higher service to hit a specific website like ci.minneapolis.mn.us/police/, but unexpectedly, a lot of other seemingly unrelated things fail.
That's because somewhere deep in some other systems is something that maybe queries the public website every few minutes, and when response time goes from 1 second to 10 seconds, causes something to break.
In other words, do a google search of your favorite cybersecurity vendor and zero trust, like 'site:example.com zero trust". They have a whitepaper talking about how their products fit into a zero trust framework.
QED: all cybersecurity vendors are zerotrust vendors, and hence, the term "zerotrust" means simply "cybersecurity".
2/ If your life depends upon the security of your communications, then there is no substitute for learning how these things work. Experts might also use Tor and Signal -- but not in the ways naive users would that would expose their privacy. Experts might use something else.
3/ If you wait until your life depends upon it (such as you've suddenly decided to take up arms against the government), then it's probably too late. The government will already have access to all the communications records up to that point.
The "sophisticated" cyber attack is a cliche, a trope, used to disguise the victim's own ineptness. It's not us that is so stupid, but them that is so sophistimicated.
For example, one of the least sophisticated things hackers do is PsExec to spread from one Windows machine to another. This has the effect such that once they get a foothold into a Windows network, they can spread throughout the rest of the network.