Skip to main content


I still think #infosec hasn't wrestled enough with the fact that the field is replete with cops.
in reply to JP

It's hard to stop the bad guys without law enforcement to take action against them.
Unknown parent

BrBr.Prime
@andydormire sounds like you don't know enough people.
Unknown parent

Andy Dormire
I would define 'bad guys' in our scope of the word as any actor on the internet who has taken malicious and offensive actions without permission against an organization or entity.
Unknown parent

BrBr.Prime
I'm interested in your approaches... and I hope to gods you aren't pimping a product.
in reply to JP

@JP Infosec is also rotten to the core with ex-military types.

I'd be a lot more ok with that if they didn't bring that culture.

No. I don't want your Challenge Coin.

@JP
Unknown parent

BrBr.Prime
how do you reconcile the need to audit machines, track for #IOCs, and have visibility into your network without 'bullying' users with collecting 'logs'? my guess is you were on the side of the academic a month back who felt like EDR was 'surveillance' on 'his' computer that was purchased by the university...?
#IOCs
Unknown parent

Andy Dormire

That is a totally fair counterpoint. I am picking up on what you're putting down. Yes, by my definition they would be considered the bad guys. Though, I see them as a necessary exception.

I've spent a lot of time around law enforcement and often interface with folks in that sector for work now. Those gray areas are hard to label. But I do think it's worth mentioning the good that the LE community does in cyber.

in reply to JP

#infosec has always skewed right and authoritarian - more than a couple CSOs i’ve worked for voted for Trump and would glad to do it again
in reply to Tim Shea (gingerjet)

@gingerjet
I disagree about #InfoSec being right-wing or authoritarian.
Corporate InfoSec? Maybe, but that's just the nature of being a money making enterprise, doubly so if you are publicly traded.
There are any number of "information should be free" old school hackers still out there hammering on open source projects. Granted they are a dying breed because this sort of thing doesn't pay the bills.
There are also those who see #InfoSec as a way into #CyberCrime and easy money.

I'd be really interested to see a true breakdown of who is working in this field, how they got here, and what they want to get out of it.

in reply to J. R. DePriest :verified_trans: :donor: :Moopsy: :EA DATA. SF:

@Jasey DePriest :verified_trans: :donor: (she / her) :EA DATA. SF: @Tim Shea (gingerjet 🏳️‍🌈) @JP I think this is core to the militarization side. A lot of what we term infosec was funded by the military, and a lot of stuff is now funded by cops.

There's still hackers, lots of hackers, but they don't typically get into cons these days, because cons need money. Further ruining our industry.

Part of this is that corporations like cops and we infinitely fund cops and military.

Unknown parent

Chris :fediverse:
See also mindset and approach to mental health, drugs, homelessness, having skin that isn’t white, etc. all things that are over policed and many aren’t even crimes.
Unknown parent

Andy Dormire

Everything must be kept in check and in moderation. Your analogy is really good! I hear you. Abuse of power will almost certainly continue to be an issue so long as there is power to be abused.

But the overall net gain here is that we have an entire branch of the federal government that wants to help us. That wants to help protect our users and US citizens. They want to get justice for those who have been harmed.

If we look at the spread here, can we say that the harm done exceeds the good?

Unknown parent

Keira (She/Her)

@bryanbrake this this this.

As a person who has worked with a lot of people with targeted identities or violence in their lives (and has friends, family in the same position), I generally leave infosec 'oversight' or 'visibility' talks pretty damn worried. Never feeling safer.

JP reshared this.

Unknown parent

Deborah Pickett
There’s now a bias against those other approaches because the standard approaches are enshrined in the cyberinsurance that my company needs when dealing with other companies. Actual example: if we are to supply boxes to one customer, I must enable password expiry for my users.
in reply to Keira (She/Her)

@keira_reckons you are correct, Keira, there is cause for worry, and for every one person the JP assumes exists, there are hundreds that feel as strongly, more so.

In 'my' experience, it's not the "security" asking to collect a ton of information, we're pushing back on ad metrics, sales people, product managers. I can't speak to the hypothetical form JP mentions (maybe that's an Australian thing), but privacy, security, and legal people all work to protect and minimize where we can.

Unknown parent

BrBr.Prime

@keira_reckons there's a lot to unpack there... Legislation written by clueless politicans (or worse, lobbyists), retention for retention sake (or for 'compliance'), and data breaches.

Given a wish, what do want to see 'infosec' be? Make devs more responsible? Who makes them more responsible?

Unknown parent

in reply to JP

and baby killing weapons manufacturers and war mongering strategist firms. We were never going to be left alone.