Notices by Jonathan Kamens (jik@federate.social)

On a list I'm on, someone asks for advice protecting a small trans support org worried about e.g. keeping their membership list safe.
Several people respond, "Talk to company <x>, they help non-profits secure infra."
I look at <x>. Its flagship product automates managing security controls in apps like Google Workspace and Slack.
I'm like, this isn't going to help when the subpoenas start flying. Y'all need to change your threat model.
#smdh #infosec #threatModeling #politics #USPol

I wrote back: "If I were running a trans support org right now, I'd be moving all non-public info and internal org infra onto a NAS in my basement with encrypted drives that require a long passphrase to be entered on boot, with offsite backups syncing to a similar NAS in the basement of another leader of the org. I would not rely on any cloud service to protect my data and my members from harm. The only thing I would put on cloud infra is a public web site that doesn't store any sensitive data."

If you're not reading @davekarpf you're missing out. He's one of the most clear-headed thinkers we've got right now.
Dave is absolute proof of why the world needs historians. He understands shit in a way that very few people do, and he's superb at conveying his understanding to others.
#politics #USPol
Ref: https://davekarpf.substack.com/p/charting-the-path-forward-some-things

It's been the honor and privilege of a lifetime to be at the U.S. Digital Service serving the American people in my role as the Information Security Lead for VA.gov at the Department of Veterans Affairs.
I'm highly regarded there and wish I could stay, as do my superiors and coworkers. However, the substantial uncertainty surrounding the presidential transition exceeds my family's risk tolerance threshold, so I probably need to step away.
#JobSearch #GetFediHired #infosec
1/2

The #GAO recently put out a draft report about the challenges faced by several federal agencies, including the #VA, maintaining an effective cybersecurity workforce.
I had an opportunity to review and provide feedback about the report, and my primary feedback was about two problems the report didn't even touch upon; indeed, the recommendations in the report arguably exacerbate these problems. Here's what I wrote about.
#CivicTech #GovTech #USGov #infosec
🧵1/4

First, when GAO and NIST require centralized management of the cyber workforce, they create a perverse incentive for departments to centralize the workforce itself, not just its management, because it's easier to centrally manage a centralized workforce.
This results in departments failing to recognize and act on the importance of embedding cyber experts throughout the department.
Recommendation: Every IT-focused office anywhere in the department should have cyber staff.
🧵2/4

Second, when departments use "tricks" to fill cyber headcount, including, e.g., hiring inexperienced people and training them on the job, they are self-sabotaging efforts to build a competent cyber workforce. Three reasons:
1) Cyber is no different than any other profession: not everyone will be good, no matter how well they are trained. It's hard to fire government employees. If you hire someone who turns out to be mediocre, then you're stuck with mediocre.
🧵3/4

2) Competent people don't like working in environments with incompetent people. If you staff up with mediocre people, you drive good people out.
3) When competent cyber people are forced to spend time on training and on making up for the inadequate work of mediocre colleagues, it saps their productivity.
Recommendation: Prioritize hiring good people, increasing salaries if necessary to attract them, not on filling seats.
🧵4/4

P.S. I _passionately_ hate the terms "cybersecurity" and "cyber" and strongly prefer "information security" and "infosec", but that battle is long over in the federal government, so I reluctantly go with the flow when I'm communicating about it in government contexts.

Here's a piece of #freeAdvice for #startup #CEO's…
If you're acquired, make sure you get an email out to all your shareholders, a.k.a. former employees with exercised stock options, about the acquisition _before_ the law firm handling the acquisition sends them email containing the code they'll need to access their stock option payout.
In other, definitely related news, my former employer #Numerated has apparently been acquired by #MoodysAnalytics, and I'll be getting some money from my stock.

Follow up on this: I received an email message from "PNC Paid" with instructions for using the code I was emailed previously to start the process of receiving my stock payout.
Then I received a _second_, nearly identical email from "PNC Paid" a few hours later, sent to a different email address of mine, with a different link in it. Which is problematic because the email claims the link is customized for me.
(continued)

I tried to use the link in one of the emails and the code previously sent to me to start the process, and I was blocked when the site claimed it was sending an authorization code to my email and then… just didn't. I _know_ they didn't because I run my own mail server and I can see from the logs that there was no attempt to send me an email containing a code. I waited until that code timed out and tried again. Again, no code email was sent to me.
(continued)

I then tried using the link in the _other_ email from PNC Paid to see if it would work any better. It did not; again, I received no code.
I emailed the people orchestrating all this and asked for assistance. They responded, "PNC initially got a bounce back from this address, which I imagine is the root of the problems. I’ll ask them to reach out directly to assist."
Which is bullshit because my email server works perfectly fine and does not bounce legitimate emails.
smdh

It looks like PNC Paid is using #ProofPoint servers for its outbound email delivery. I know from personal experience that ProofPoint absolutely sucks at email delivery, so perhaps that's part of the problem.

Note that ProofPoint, A SECURE EMAIL COMPANY, runs mail servers that are incapable of negotiating non-deprecated TLS ciphers:

STARTTLS=server, error: accept failed=-1, reason=no shared cipher, SSL_error=1, errno=0, retry=-1, relay=mx0a-000ade01.pphosted.com [205.220.165.107]

#infosec

I am sick to death of the articles the media keeps running talking about how everyone needs to reach across the aisle and find common ground with people whom they disagree with.
Fuck that noise.
I don't have common ground with anyone who still supports Trump's GOP.
They're either too stupid to understand what the GOP is selling or they want it.
The leopards will eventually eat their faces too, and they will deserve it, but in the meantime the rest of us are screwed too.
#politics #USPol

@fossilesque What, after all, is the purpose of a $3.1 billion endowment, if it isn't to ensure that the compensation of senior university administrators can increase substantially every year?
What, you thought that the purpose of the endowment was to support educating students? Ha! Don't be ridiculous.
(The president of BU makes over $2 million in annual compensation.)

"The biggest challenge of our lifetime will be figuring out how to combat the American willingness to embrace flagrant misinformation and bigotry."
#RoxaneGay in the Times. Free link (doesn't give the Times any clicks):
https://archive.ph/2mdDE
#politics #USPol

I just emailed my state senator:

"If California can pass a state law which essentially forces cities and towns to criminalize homelessness, then can Massachusetts pass a state law _preventing_ cities and towns from criminalizing homelessness?

If so, then please do something about that, because this <https://whdh.com/news/brockton-city-council-approves-encampment-crackdown/> is unacceptable."

#Massachusetts recently changed its guaranteed shelter law to no longer guarantee shelter.
Now, individual communities are following up on that by criminalizing not having a place to live: https://whdh.com/news/brockton-city-council-approves-encampment-crackdown/
This starts out as a NIMBY problem, until more and more cities and towns do it, at which point homeless people literally have nowhere to go except a prison or a cemetery.
#housingIsAHumanRight #homelessness #capitalism #politics #USPol #MAPoli

@phaedral Hi!
Please do me the courtesy of assuming that when I say the unsubscribe link in the email from Intuit didn't work, I actually mean that the unsubscribe link in the email from Intuit didn't work, not that I was too stupid to find the "correct" unsubscribe link to click in the email.
Thanks.