Notices by Tarah Wheeler 🖖♦️ (tarah@infosec.exchange)

I say this as a CEO: From now on, when children’s health data is compromised because multi factor authentication was not enforced, fire the CEO, not the CISO. I mean, sure, fire the CISO as well, but the CEO bears the responsibility. An update on the PowerSchool breach from the ever-incise @dangoodin https://arstechnica.com/security/2025/01/students-parents-and-teachers-still-smarting-from-breach-exposing-their-info/

I want to *physically* go to a store with safety glasses and order prescription lenses for them. I need motorcycle goggles.

Prescription safety glasses are too expensive to simply order online without having tried the frames first. Does anyone know a place in Seattle? Does Oakley do it?

I know some truly wonderful infosec journalists but here's a thing I need help with: currently, there are essentially *no* news stories out there about MSPs, small business cybersecurity - anything really meaningful beyond "here's a puff piece on a commercial white paper that did sentiment analysis on 70 small biz owners and they're all scared of furrin hackerz" or PR releases on "Google just bought an MSP in Indonesia".

Is there a cyber journalist with a beat that doesn't focus on the big gov and F500 stories?

In time, all data becomes either totally public, or disappears completely.

Clicking on a phishing email is not an “advanced cyberattack.” https://therecord.media/cyberhaven-hack-google-chrome-extension

I am a pilot and I am begging you: do not shine lasers at things in the air. You can kill us by blinding us at night. You’re not detecting UFOs; you’re blinding women like me driving beater SkyToyotas, animal rescue pilots, and Angel flights bringing rural cancer patients to hospitals.

This is Donation Week, and I want to see your Signature, Technical, and Showstopper donations as our @eff Attack Lawyers defend your rights in a battle for the ages.

Welcome to the Electronic Frontier Foundation.

https://eff.org/angrydollars

Oh goodness…schadenfreude? For MEEEE? You shouldn’t have.

No, really, you shouldn’t have. You should have been listening to us all along when we told you this would happen. A lot.

https://www.nbcnews.com/tech/security/us-officials-urge-americans-use-encrypted-apps-cyberattack-rcna182694

oh my god this is a utter #infosec banger and it should be heard by every #SOC this wknd

"CISO doesn’t have a clue.
No idea what to do.

He designed our security plan
though he's fallen for every scam
Writes backups straight to tape drive
His password is 12345"

https://www.youtube.com/watch?v=PbD4Q4Z1wwA

@patrickcmiller oh my god

@silverwizard what a fascinating movie. I am intrigued.

@Brad_Rosenheim hunger games is dudes. Frozen is dudes. Brave definitely qualifies. And Beasts of the Southern Wild is a *brilliant* addition to my list.

Dear internet: I would like your favorite movies about women overcoming huge/galactic obstacles. Those obstacles should not be dudes.

Good example: Gravity, Coraline
Bad Example: Kill Bill, Bombshell

EDIT: must be the main narrative, not a side quest. Hence, General Organa/Naomi Nagata don’t count.

This is a day where I’m LinkedIn-discovering a lot of people who are claiming to be cyber experts who’ve never held any role other than government policy or investment.

It vexes me when I’m brought in to mop up a situation created by people who’ve never touched a keyboard and yet somehow have been appointed to roles running government cyber policy development. I am greatly vexed.

Ask civil engineers who have built a bridge before making transportation budget policy. Ask doctors who have called a time of death before making medical policy. Ask survivors of abuse before making victim protection policy.

For heavens sake, ask a person who’s hacked a system before making cyber policy intended to fight cyber crime.

EDIT: if you’re in government and reading this and wondering if I’m subtooting you, I’m not. Anyone I’m talking about hasn’t ever heard of the fediverse 🙃🙃🙃 and I am absolutely shading them.

@dymaxion @deviantollam we both have mother tongues. For me, it’s the LOTR appendices and knowing which Doctor is which. For him, it’s whatever language he’s speaking when he orders a cheese steak in Philadelphia. It’s like when Gandalf utters the tongue of Morgoth; the skies darken, and a “wiz wit” appears.

🚨🚨 my husband, Deviant Ollam, has never *tap tap is this thing on** I repeat NEVER seen Rocky Horror. 🚨🚨

What are the greatest RHPS showings in Seattle, Portland, Las Vegas, Philadelphia, DC, and San Jose/South Bay, please and thank you? Amongst these cities I should be able to do a date with him where we are both able to be in a town.

Three times in client meetings with small businesses this week, I have quoted Jen Easterly's talk to CMU on security by design. Once, the SMB themselves brought it up, asking how they can improve their client security.

Just in case anyone's wondering if it's useful to have Jen's voice out there...her leadership of CISA and drive to improve infosec is directly and positively impacting cybersecurity in dockside coffee shops by sea ports and in warehouses south of the airport and with little services companies in rural Washington state.

Keep it up.

This is a public service announcement.

I have impostor syndrome. The people I look up to have impostor syndrome. The people I'm friends with have impostor syndrome. People you look up to have impostor syndrome.

The most insidious thing about impostor syndrome is that it makes it mindblowingly unbelievable when you find out that your heroes have it as well--because why would they? They've made it, they're at the pinnacle, what excuse could they possibly have for thinking they don't belong, and it's nearly self-indulgent of them to have impostor syndrome.

But of course YOU have impostor syndrome. You've still got everyone convinced that you belong here. </sad trombone>

Just remember - impostor syndrome isn't about whether you belong. It's about whether you're ALONE with your impostor syndrome...and you're not. Hugs. Right there with you, buddy.