Genuine question. In the year 2023, how do we define:

"Working class"

It is constantly being invoked by racists & hate-filled bigots (who claim to speak on behalf of "ordinary working class" people like themselves) & it is definitely a "side" in the culture war against "elites" But I don't think I've ever seen it used in a way that makes sense to me. It is nearly always people who claim to be working class because some direct ancestor made the claim.

Is that how it works?

I have some examples but I am genuinely open to any answers that can make sense.

I felt I needed to tweet more about this. 🧵

Cost of living is definitely a thing, which seems to confuse a lot of US people when they see UK salaries. In *very general* terms, getting £100k is similar to getting US$200k.

But even so, this is terrible.

https://twitter.com/Jontafkasi/status/1641193954778697728

Yes, I am simplifying but, *most* people in the UK on £100k a year will have a lifestyle similar to, if not better than, most people in the US living on US$200k a year.

And, yes, you will absolutely find a lot of exceptions to that. Well done.

There are some pretty consistent character traits, over-represented in right-wingers. I often wonder if there is a causal link and which way it points.

Traits? Let me explain with a🧵to explain my thinking.

The most significant is a complete refusal to take responsibility for pretty much anything bad they do.

Vote for Nazis? "Because of BLM".
Oppose human rights? "Its because of trans activists".
Destroy the climate? "Its because of protestors".

Everything is always because SOMEONE ELSE made them do it. And these are actual adults, not kids.

It is interesting that people see #Linux admins as galaxy brain geniuses with super-awesome knowledge of the environment, while they argue on how to save 1 ns of processor time by chaining the commands differently.

Then they expose SSH to the internet with a 4 char password... In the last three weeks, I've dealt with FOUR different orgs where they've been pwnd as a result of insecure SSH configurations. Three were <6 char pwds, in RockYou.

One was exposing SSH with root account password being the company name. Weirdly this wasn't even the first time

Earlier today, a weird series of tweets trying to imply @cybergibbons had lost his company work made me think about how we engage pentesters - and we are probably doing it wrong.

We should do better.

🧵
(tl;dr: don't ask for bids, just pick a pentest company) Just to be clear - I do *not* for one second believe this person's statement is true. I genuinely think they just made it up because they were internet-sad and ended up having to double down on it because the rage about cyclists consumed them.

And yes, they blocked me 🤣🤣🤣

Weird phishing email today. No one called Dawn works for me and we don't use Wix...

Mail seems to have come from DigitalPacific claiming to be from "onicemarmo[.]com". None of this aligns with a claim to be from Wix. The links go to http://my{subdomain].co.uk-santa.evoluesystem.com/Enat-Hosingir?{victimsemail}

evoluesystem[.]com seems unrelated - it's been around for a while, but it also appears unmanaged/badly managed.

I've been buried with work for a while now, so I've an overwhelming urge to procrastinate with a rant about how right-wing/libertarian bros seem obsessed with looking dumb & being inconsistent...

This time it's down to Spotify & censorship.

🧵 First, it is still Twitter, so some caveats. I don't actually think they are all dumb. I actually agree with some libertarian ideas, it's just that they attract asshats and end up being an excuse for selfishness & intolerance.
If this upsets you, stop reading and unfollow me.

I totally get that tuning alerts is hard, not very exciting & resource intensive, but you still have to do it. If you don't, your bazillion dollar security tool will suck.

Today's example is an org that has a tool. The tool generates 40+ alert notifications per day. The notifications are sent to several groups (so everyone ignores them) and each one would take about 5 min to resolve. That alone is about 4 hours work, 7 days a week.

If anyone did that, but they don't, because they all got fed up doing it.

So #infosec people - when you are hiring for a brand new L1 SOC analyst, what do you list as the mandatory skills and why?

In the last week, I've seen CEH, OSCP, "windows internals", "good knowledge of networking" and many more things listed.

I'd like to know your thoughts. But I am going to poison the well a little bit, largely because very few people read the full thread.

I just want to reiterate - this is a brand new, L1 SOC analyst.

It isn't a threat hunter. It's not a reverse engineer. It isn't a pentester/redteamer.

It's a L1 SOC analyst.

I get that Zero Trust is cool #infosec concept, but if you are designing an authentication system, you need to understand that at *some* point trust kicks in. If you treat every step as if no other step has happened, you are just making life hard for users. As an example, I've been fighting a system today which has:
1) you need to VPN in using a customer issued device with a soft token on the device. This also needs username and MFA token as well as the device token.

One of the biggest challenges #infosec faces is that we have a disturbing number of charlatans in senior security roles at organisations.

I had a call this evening which resonated with a disucssion yesterday and a mix of procrastination & annoyance has led to this 🧵... First, dont for one second mistake this as a dig at $cert. Of all the really, really bad pretenders I know personally, less than 10% have any infosec certs, and probably 5% have CISSP. (None have CEH, oddly).
Your experience may differ, but thats your story, not mine.

Lots of discussion about #infosec salaries recently (not just my constant whining).

One argument put forward is that "money isn't everything" and some roles (hospitals, government etc) are ok to pay a lot less because the work they do is important.

I disagree. At a most basic level, people still need to eat, clothe themselves and have a place to live. No amount of virtue-in-my-job will provide food. You cant pay your rent/mortgage with "I am doing a service for the nation."

It just doesn't work that way. You need money to live.

So #infosec #jobs thread.
In the last 12 months, I've been involved with 60+ interviews for various SOC, IR etc roles. This has come from about 120+ CV/Resume submissions.
To start, a caveat though - this is all IMHO. Hiring is an amazingly individual event. First CV length. The common wisdom is that it has to be under 2 pages and very tailored to the role. I disagree. A CV should be concise but it also needs to provide enough information to make the hiring manager want to speak to you. If there is an HR screen, it needs to contain

I've been genuinely surprised how many people in infosec think [Twitter|Amazon|Apple|Google] should in some way be prevented from blocking Trump/Parler.

I strongly disagree & this is a hill I will die on.

I got a lot of DMs about this last night so I think a thread is needed. First - part of the problem is that the public is being tricked into thinking there is something special about either which gives them an intrinsic right to have $things. I reject that idea. I kind of accept Trump got a pass as POTUS but even that is a sketchy argument.

Is there a skill shortage in infosec? Are we failing to bring new people in?
It may sound contradictory but I think the answers are "no" and "yes" in that order.

To be clear, in the last 10 years I've been in the private sector, I haven't seen a shortage. But....(1 of many ofc) But before I continue, a quick side note. This thread was inspired by a tweet from @bettersafetynet who is genuinely one of the most awesome people I've met. His tweet about this was nuanced, which is why I've felt the need to have a massive thread in reply. Follow him right now.

I've been thinking - what actual value do companies see from having a skilled, knowledgeable, capable infosec team? I am a bit worried, that on reflection, the answer seems to be "not a lot."
Dont agree - read on and I will try to explain. First - backstory. About 5 years ago I was engaged with a company who had a genuinely top-notch [IT|info|Cyber] security department. For an org of ~7000 end users, they had ~20 security professionals who covered a range of disciplines, all motivated, experienced and hardworking

Bit of a thread here:
About a year ago I gave an @ Night talk which was attended by about 70 people and it went really well (IMHO). Over 50 people filled in feedback forms and all were 4s & 5s. This was really good because I was planning to use the talk again, several times. After the talk, I got lots of very positive feedback from lots of people. It was a wonderful ego boost and I was pleased I'd managed to portray the work my team and I had carried out on a big incident.

Bit of an interesting tale about someone who I understand is about to be "let go" after a fairly short time as a CISO. First off, this is not a defence of the person, most people disliked them. It is more a comment on the culture and its problems. (1/?) First off - the person didn't have the strongest security background and they did rub the security team up the wrong way (including some odd decisions). However, they were brought in to the organisation as an EXPERT over and above any internal candidates (2/?)