I would define 'bad guys' in our scope of the word as any actor on the internet who has taken malicious and offensive actions without permission against an organization or entity.
how do you reconcile the need to audit machines, track for #IOCs, and have visibility into your network without 'bullying' users with collecting 'logs'? my guess is you were on the side of the academic a month back who felt like EDR was 'surveillance' on 'his' computer that was purchased by the university...?
That is a totally fair counterpoint. I am picking up on what you're putting down. Yes, by my definition they would be considered the bad guys. Though, I see them as a necessary exception.
I've spent a lot of time around law enforcement and often interface with folks in that sector for work now. Those gray areas are hard to label. But I do think it's worth mentioning the good that the LE community does in cyber.
@gingerjet I disagree about #InfoSec being right-wing or authoritarian. Corporate InfoSec? Maybe, but that's just the nature of being a money making enterprise, doubly so if you are publicly traded. There are any number of "information should be free" old school hackers still out there hammering on open source projects. Granted they are a dying breed because this sort of thing doesn't pay the bills. There are also those who see #InfoSec as a way into #CyberCrime and easy money.
I'd be really interested to see a true breakdown of who is working in this field, how they got here, and what they want to get out of it.
See also mindset and approach to mental health, drugs, homelessness, having skin that isn’t white, etc. all things that are over policed and many aren’t even crimes.
Everything must be kept in check and in moderation. Your analogy is really good! I hear you. Abuse of power will almost certainly continue to be an issue so long as there is power to be abused.
But the overall net gain here is that we have an entire branch of the federal government that wants to help us. That wants to help protect our users and US citizens. They want to get justice for those who have been harmed.
If we look at the spread here, can we say that the harm done exceeds the good?
As a person who has worked with a lot of people with targeted identities or violence in their lives (and has friends, family in the same position), I generally leave infosec 'oversight' or 'visibility' talks pretty damn worried. Never feeling safer.
There’s now a bias against those other approaches because the standard approaches are enshrined in the cyberinsurance that my company needs when dealing with other companies. Actual example: if we are to supply boxes to one customer, I must enable password expiry for my users.
@keira_reckons you are correct, Keira, there is cause for worry, and for every one person the JP assumes exists, there are hundreds that feel as strongly, more so.
In 'my' experience, it's not the "security" asking to collect a ton of information, we're pushing back on ad metrics, sales people, product managers. I can't speak to the hypothetical form JP mentions (maybe that's an Australian thing), but privacy, security, and legal people all work to protect and minimize where we can.
@keira_reckons there's a lot to unpack there... Legislation written by clueless politicans (or worse, lobbyists), retention for retention sake (or for 'compliance'), and data breaches.
Given a wish, what do want to see 'infosec' be? Make devs more responsible? Who makes them more responsible?
Andy Dormire
in reply to JP • • •BrBr.Prime
Unknown parent • • •Andy Dormire
Unknown parent • • •BrBr.Prime
Unknown parent • • •silverwizard
in reply to JP • •@JP Infosec is also rotten to the core with ex-military types.
I'd be a lot more ok with that if they didn't bring that culture.
No. I don't want your Challenge Coin.
BrBr.Prime
Unknown parent • • •Andy Dormire
Unknown parent • • •That is a totally fair counterpoint. I am picking up on what you're putting down. Yes, by my definition they would be considered the bad guys. Though, I see them as a necessary exception.
I've spent a lot of time around law enforcement and often interface with folks in that sector for work now. Those gray areas are hard to label. But I do think it's worth mentioning the good that the LE community does in cyber.
Tim Shea (gingerjet)
in reply to JP • • •J. R. DePriest :verified_trans: :donor: :Moopsy: :EA DATA. SF:
in reply to Tim Shea (gingerjet) • • •@gingerjet
I disagree about #InfoSec being right-wing or authoritarian.
Corporate InfoSec? Maybe, but that's just the nature of being a money making enterprise, doubly so if you are publicly traded.
There are any number of "information should be free" old school hackers still out there hammering on open source projects. Granted they are a dying breed because this sort of thing doesn't pay the bills.
There are also those who see #InfoSec as a way into #CyberCrime and easy money.
I'd be really interested to see a true breakdown of who is working in this field, how they got here, and what they want to get out of it.
silverwizard
in reply to J. R. DePriest :verified_trans: :donor: :Moopsy: :EA DATA. SF: • •@Jasey DePriest :verified_trans: :donor: (she / her) :EA DATA. SF: @Tim Shea (gingerjet 🏳️🌈) @JP I think this is core to the militarization side. A lot of what we term infosec was funded by the military, and a lot of stuff is now funded by cops.
There's still hackers, lots of hackers, but they don't typically get into cons these days, because cons need money. Further ruining our industry.
Part of this is that corporations like cops and we infinitely fund cops and military.
Chris :fediverse:
Unknown parent • • •Andy Dormire
Unknown parent • • •Everything must be kept in check and in moderation. Your analogy is really good! I hear you. Abuse of power will almost certainly continue to be an issue so long as there is power to be abused.
But the overall net gain here is that we have an entire branch of the federal government that wants to help us. That wants to help protect our users and US citizens. They want to get justice for those who have been harmed.
If we look at the spread here, can we say that the harm done exceeds the good?
Keira (She/Her)
Unknown parent • • •@bryanbrake this this this.
As a person who has worked with a lot of people with targeted identities or violence in their lives (and has friends, family in the same position), I generally leave infosec 'oversight' or 'visibility' talks pretty damn worried. Never feeling safer.
JP reshared this.
Deborah Pickett
Unknown parent • • •BrBr.Prime
in reply to Keira (She/Her) • • •@keira_reckons you are correct, Keira, there is cause for worry, and for every one person the JP assumes exists, there are hundreds that feel as strongly, more so.
In 'my' experience, it's not the "security" asking to collect a ton of information, we're pushing back on ad metrics, sales people, product managers. I can't speak to the hypothetical form JP mentions (maybe that's an Australian thing), but privacy, security, and legal people all work to protect and minimize where we can.
BrBr.Prime
Unknown parent • • •@keira_reckons there's a lot to unpack there... Legislation written by clueless politicans (or worse, lobbyists), retention for retention sake (or for 'compliance'), and data breaches.
Given a wish, what do want to see 'infosec' be? Make devs more responsible? Who makes them more responsible?
BrBr.Prime
Unknown parent • • •Darren
in reply to JP • • •