After working for 5.5 years in security at AWS, and before that, all 3 branches of USG,
I am now working in young (private) companies.
I decided to start a daily thread 🧵on some of the things I’ve learned.
(Feel free to DM or reply with your own! Bookmark for daily updates.)
Colleagues had a car broken into and laptops stolen in downtown Mountain View last night while we were at dinner. We wondered how they knew to break into the hatchback when it is not see- through.
They turn on bluetooth scanners and follow the beacon to find electronics.
Bill for $895 for ER visit (the one that made me miss defcon this summer!)
Requested an itemized bill.
They still haven’t sent that! but instead, sent an “offer of settlement” that I pay *half* of the amount they claimed I owe.
Wow.
if you're in an interview (with me, anyway) and I ask a technical question you don't know,
the answer "I don't know but I'd look it up [here insert where you'd look to find it]" and then describe the approach you'd take
that is totally fine. it's not a "gotcha" game.
Everyone knows "technical debt" (stuff you have but don't need). I'm coining "policy debt" to refer to the policies enshrining "but we've always done it this way" practices.
Password policies are a lot of this.
Do other people re-read their “sent” emails just to reassure themselves that it was right? I have this habit of annoying myself by revisiting them after I’ve hit send.
Ok friends-- an ask.
I have a friend who quit his job as a Denver cop tonight. His wife went to high school with me.
Any ideas? He's up for whatever-- could do sales, office management, etc. 2 year degree. They're looking at maybe TX as a fresh start.
I don't do "debates." I'm an engineer--I solve problems.
AWS, & I, personally, care deeply about making the secure thing, the easiest thing, to do. That's a tough aspiration & I spend my life on it.
Thank you to this supportive community, all who replied so I didn't need to.
💜
my flight attendant just got her cloud practitioner certification and we're gonna refer her to aws jobs, fam. yes we are. (she told me bc i'm in my same crypto shirt on the plane.)
companies: I want to hire "true" security people!
also companies: they don't enjoy our all-hands meetings like I want them to! why are they so weird?
🥸
When I read about a "SOC," "IR team," "threat hunting team," and "threat intelligence team" all being individual entities, I feel something has gone terribly wrong in the development and organization of defensive capabilities over the last 10 years. It feels overspecialized.
remember when we said we'd provide (for free) the same training amazon employees get? here it is:
(feel free to incorporate it into your entity's curriculum, build from it, etc.)
Actually, world-class engineers (some at world-class tech companies) keep telling you how math/cryptography works, & you appear to be wilfully ignoring reality.
Attorney General Barr statement: "I am confident that our world-class technology companies can engineer secure products that protect user information and allow for lawful access."
Judith Love Cohen was an American aerospace engineer who helped create the Abort-Guidance System that rescued the Apollo 13 astronauts.
When she went into labor, she went to work.
She took a printout of a problem she was working on to the hospital. She called her boss and
it grinds my gears when people tell women aspiring to careers in security "you don't need to be technical!" like yeah but you don't need to NOT be technical either.
if you learned it, she can too. and she'll likely make more if she does. let's say the real story.
Woman next to me on the plane is having heavy anxiety bc we’re flying through turbulence and I just reassured her that it’s totally fine we’re not gonna die. Or we will and then you don’t need to send that email.
Maybe I’m not helping.
Let’s do a round up of the tropes we hate because they’re ridiculous/inaccurate/unuseful.
I’ll start:
Military grade encryption
Data is the new oil
It’s not a matter of if, but when (you get attacked)
People are the weakest link (in security)
Add your favorites!
wishlist: hotels that would rent for the day instead of overnight. I'm often in a city from 8am-8pm, and having a reservation that only guarantees me a quiet spot until 11am or after 3 or 4pm isn't great.
do other folks have ideas that work here?
I want to go to church but one where there’s nothing to do with god it’s just community and music and food. Maybe a quick workout and we take turns watching the kids.
A vaccinated person can get Covid. They just don’t tend to die.
Meanwhile I have a baby who cannot be vaccinated, but to whom I could transmit.
So YEAH you did miss some science.