Skip to main content


I still think #infosec hasn't wrestled enough with the fact that the field is replete with cops.
It's hard to stop the bad guys without law enforcement to take action against them.
@andydormire sounds like you don't know enough people.
I would define 'bad guys' in our scope of the word as any actor on the internet who has taken malicious and offensive actions without permission against an organization or entity.
I'm interested in your approaches... and I hope to gods you aren't pimping a product.
@JP Infosec is also rotten to the core with ex-military types.

I'd be a lot more ok with that if they didn't bring that culture.

No. I don't want your Challenge Coin.
@JP
how do you reconcile the need to audit machines, track for #IOCs, and have visibility into your network without 'bullying' users with collecting 'logs'? my guess is you were on the side of the academic a month back who felt like EDR was 'surveillance' on 'his' computer that was purchased by the university...?
#IOCs
That is a totally fair counterpoint. I am picking up on what you're putting down. Yes, by my definition they would be considered the bad guys. Though, I see them as a necessary exception.

I've spent a lot of time around law enforcement and often interface with folks in that sector for work now. Those gray areas are hard to label. But I do think it's worth mentioning the good that the LE community does in cyber.
#infosec has always skewed right and authoritarian - more than a couple CSOs i’ve worked for voted for Trump and would glad to do it again
@gingerjet
I disagree about #InfoSec being right-wing or authoritarian.
Corporate InfoSec? Maybe, but that's just the nature of being a money making enterprise, doubly so if you are publicly traded.
There are any number of "information should be free" old school hackers still out there hammering on open source projects. Granted they are a dying breed because this sort of thing doesn't pay the bills.
There are also those who see #InfoSec as a way into #CyberCrime and easy money.

I'd be really interested to see a true breakdown of who is working in this field, how they got here, and what they want to get out of it.
@Jasey DePriest :verified_trans: :donor: (she / her) :EA DATA. SF: @Tim Shea (gingerjet 🏳️‍🌈) @JP I think this is core to the militarization side. A lot of what we term infosec was funded by the military, and a lot of stuff is now funded by cops.

There's still hackers, lots of hackers, but they don't typically get into cons these days, because cons need money. Further ruining our industry.

Part of this is that corporations like cops and we infinitely fund cops and military.
See also mindset and approach to mental health, drugs, homelessness, having skin that isn’t white, etc. all things that are over policed and many aren’t even crimes.
Everything must be kept in check and in moderation. Your analogy is really good! I hear you. Abuse of power will almost certainly continue to be an issue so long as there is power to be abused.

But the overall net gain here is that we have an entire branch of the federal government that wants to help us. That wants to help protect our users and US citizens. They want to get justice for those who have been harmed.

If we look at the spread here, can we say that the harm done exceeds the good?
@bryanbrake this this this.

As a person who has worked with a lot of people with targeted identities or violence in their lives (and has friends, family in the same position), I generally leave infosec 'oversight' or 'visibility' talks pretty damn worried. Never feeling safer.

JP reshared this.

There’s now a bias against those other approaches because the standard approaches are enshrined in the cyberinsurance that my company needs when dealing with other companies. Actual example: if we are to supply boxes to one customer, I must enable password expiry for my users.
@keira_reckons you are correct, Keira, there is cause for worry, and for every one person the JP assumes exists, there are hundreds that feel as strongly, more so.

In 'my' experience, it's not the "security" asking to collect a ton of information, we're pushing back on ad metrics, sales people, product managers. I can't speak to the hypothetical form JP mentions (maybe that's an Australian thing), but privacy, security, and legal people all work to protect and minimize where we can.
@keira_reckons there's a lot to unpack there... Legislation written by clueless politicans (or worse, lobbyists), retention for retention sake (or for 'compliance'), and data breaches.

Given a wish, what do want to see 'infosec' be? Make devs more responsible? Who makes them more responsible?
and baby killing weapons manufacturers and war mongering strategist firms. We were never going to be left alone.