A rant on tokenization:
Tokenization is replacing particular data with an opaque set of bits, called a “token”.
The token either is encrypted or a mapping stored in a table. Tokens are usually a fixed # of bits (usually 64) for simplicity.

They are also surprisingly dangerous... I love tokenization for cases like credit card numbers, where a small opaque piece of data is quite sensitive and generally has reasonable usage patterns. But people try to use tokenization without security or scalability.

Don’t do this. Let me explain...

What's a good way to set the edge between a security (or privacy) engineering team and the rest of engineering?

(Was asked this question this morning and thought the way I think about the answer might be helpful to other folks.)

One simple trick: look at your on-call rotations There are a lot of places where systems are security/privacy-critical. A *lot*. Not all of those should go in the security/privacy team.

I'm Captain Pragmatic, teams should sit where they're productive and happy, but this is where I'd tend to put those teams.

A buddy who's interested in end-to-end encryption (E2EE) but hasn't done one of these projects in the very messy place which is the real world happened to ask me this morning about pitfalls which might not be obvious. So here's a partial list in the hopes that it's helpful. 🧵 For context: I have a PhD in cryptography, my thesis is on privacy-preserving cryptographic protocols, and I'm publicly known to have worked on several novel E2EE systems (from Zoom and Google).

So: 1) YMMV because every system is a bit different 2) this is not my first rodeo

I want to be right, so I keep looking for how I could be wrong.

I ask my coworkers what worries them, how I'm wrong, what I'm missing. I repeat and repeat that I want the bad news, because I can't help fix problems I don't know exist. Everyone has their own style, but this really helps me solve problems, fix things, and keep them fixed.

Plus I get fewer surprises. Security and privacy people hate surprises.

Hey folks! If you don’t know me, I’m the CISO of @Twitter – I run the information security, privacy engineering, and IT teams.

We’ve got a bunch of roles open across infosec, privacy eng + legal, and IT. Come help Twitter build great things which respect our users! 🧵 I’d love to have the chance to work with you. We have roles from relatively junior up to Director. Links in this thread; there are likely some more coming.

Managers are tagged in this thread, so you can ask any of us questions or say hi. They're good folks.

I mentioned the Bad News Hat at #enigma2022 and promised to tell the story when I had a few minutes.

This is the hat I pull out when I have to tell people something they won't like. I do it because earlier in my career a group of people literally cringed when they saw me. 🧵 Back in the day, I worked with a particular team who had what I called "incident season" which came right after... well, as far as I could tell, "bad decision season". They weren't all bad, but under pressure to launch this team launched some things which weren't solid. /2

Bob has clearly not understood the problem.

@senykam at #Enigma2022 "using marginalized groups as branding is a way to seem sincere"

Taint flow analysis to ensure data isn't going anywhere it shouldn't, like leaking location in Instagram at #Enigma2022 from Graham Bleaney

Dr. Gus Andrews is up next at #enigma2022

It's all just information. They have different teams. People try fact checking and AI/ML. A lot

But assumes facts and trust are at the center

@patrickgage is starting off his talk about COVID-19 misinformation with literal 🔥

@C_C_Krebs is kicking off #enigma2022 with a look back at the excitement which was the 2020 presidential election. I can't live tweet because I busted my wrist and I'm one-handed but talk is already great.

Non-cryptographers should be scared of crypto libraries. I'm not happy with that state (not every company has a friendly local cryptographer! or even an unfriendly one!), but that's sadly the state of things.

A story about my friend @yonatanzunger messing up, then suggestions.🧵 Yonatan went off to work for @humuinc several years ago (though he's at @Twitter now) and, being a small startup at the time, there were unsurprisingly zero cryptographers.

So one day I get a message from him asking what crypto library he should use, to which I replied "WHY???"

I realized today that I had never talked publicly about something really important about the design of access control systems: design their semantics to be reverse-indexable.

This is a much spicier take than it sounds like, but there's a good reason. 🧵 [1/] Right now, access control systems are built so you can show up and say "I want access to object X", the system looks up the access control rules for object X, and then figures out whether you should have access. [2/]

It's time to kick off an entire session about data deletion at #PEPR21 (It's hard!) with "Deletion Framework: How Facebook Upholds its Commitments Towards Data Deletion" from Benoît Reitz, Facebook

That's right, come one come all, this is @Facebook' data deletion framework. We can't expect people to write their own data deletion logic.
* They often don't know how to do it well and write bugs
* The deletion logic and data definition may drift apart over time

So we get annotations that people put on their storage

It's time to talk about consent at #PEPR21 starting with "Designing Meaningful Privacy Choice Experiences for Users" by Yuanyuan Feng, Carnegie Mellon and Yaxing Yao, University of Maryland Notice and choice is a legal framework. There are privacy notices which tell people about the practices. The controls let people have limited controls.

But in practice the controls are usually difficult to find, overly simplified, and sometimes manipulative using "dark patterns"

Next up at #PEPR21: Cryptographic Privacy-Enhancing Technologies in the Post-Schrems II Era

from Sunny Seon Kang, Data Privacy Attorney Going to provide context on CJEU case C-311/18, aka "Shrems II"

This launched companies into a whole tizzy because they said that folks needed "supplementary measures". What the heck is that?

First up at #PEPR21 "Privacy for Infrastructure: Addressing Privacy at the Root" by Joshua O’Madadhain and Gary Young from @Google.

Because hey, privacy is a full-stack problem, from humans and the societies they build all the way down to the hardware. Infrastructure is key. Both Josh and Gary have been at Google for "a while" (I think that's about 15 years each) and are both wizzes when it comes to privacy, especially in infrastructure.

Infrastructure is systems that provide other systems or products with capabilities [not the security kind]

More and more folks want to hire privacy engineers. This is great! You almost certainly need them! But, just like security, privacy engineering is a whole field.

So for the folks who want to hire or become a privacy engineer, a rundown of the current rough types I see. (Big🧵) First off, let's talk about the two things that people want out of a privacy engineer: (1) privacy-respecting products and systems, (2) compliance.

Compliance is making sure that all the correct paperwork is filled out showing that you followed the rules. Here's the thing...

Most of us know about the Dunning-Kruger effect, where people who are clueless about a subject are also clueless about how clueless they are. I had not looked at the original study.

Part of it "tests" humour. According to the Cautionary Tales podcast, these are the test jokes:🧵

https://twitter.com/LeaKissner/status/1377311378516545538

First off, I find it interesting that there's a "correct" answer. (It's #2, which I found, like many of you, to be too cruel to be funny.) But what I found more interesting is that they determined this "correct" answer by asking a panel of professional comedians.

@anildash @natematias @ruchowdh @cfiesler FWIW, working with folks to build products and systems which are respectful of the lovely diversity of humans which exist is what I do. I've been lucky enough to work with a bunch of deeply ethical, thoughtful, and smart folks with a range of backgrounds and skillsets. @anildash @natematias @ruchowdh @cfiesler I can talk about a bunch of things that I've done, places where you can see my work and that of folks like me, I can talk about PEPR, a conference for talking about this sort of work, but what I can't really talk about is the many things that never launched because of quiet chats

Last talk of #enigma2021 by Marcus Botacin: "DOES YOUR THREAT MODEL CONSIDER COUNTRY AND CULTURE? A CASE STUDY OF BRAZILIAN INTERNET BANKING SECURITY TO SHOW THAT IT SHOULD!"

usenix.org/conference/eni… The outcomes I get from my analysis of malware I find in Brazil were quite different than what I saw in analysis of malware from other researchers. Why? Because the malware attacks were different!