Notices by Jonathan Kamens (jik@federate.social)

@skinnylatte My first thought upon reading this article was how horrific it is for the mother reported upon here and others in her situation.
My second thought was, what about the fathers? Are the fathers tested? Was the father tested in this case?
And my third thought was that about 30% of the population of the United States would be totally ok with this happening here, with tests based on politics or religion (indeed, the U.S. has taken away many babies throughout its history).

How many people do you think understand, when they see the all the recent alerts about food in the U.S. being recalled for listeria, e coli, etc., that if the GOP has its way not only will there be no one in the government to investigate outbreaks, determine their sources, and issue recalls, there also will be no one to inspect factories to enforce the regulations which stop most foodborne illness outbreaks before they start.
#politics #USPol #GOPDeathCult

P.S. One of the reasons there are more recalls nowadays is probably because more people are getting sick from bacteria they would have been able to shrug off without noticing before COVID screwed up their immune systems.
That is, I'm not sure the amount of contaminated food has increased, so much as people's resistance to it has decreased.
So, yeah, about that ongoing pandemic most people are trying their best to ignore…

My wife teaches at a Hebrew school. They are the chillest employer in the world, totally amazing.
She has an email address in the school's #GoogleWorkspace. It's not published anywhere. I don't think she uses it to email school parents; I believe the only reason she has it is because there was a problem with the school's payroll system (QuickBooks, of course) which they attempted to solve at one point by giving her an address at the school to use as her login.
#spam #ATT #privacy #infosec
🧵1/3

People are claiming that public opprobrium about Matt Gaetz is what forced him to withdraw, and that we should therefore expect to be able to force others to withdraw through similar widespread public condemnation.
Nope.
Gaetz withdrew because his former GOP colleagues in Congress absolutely abhor him and he was going to lose a confirmation vote.
Their abhorrence for Gaetz isn't nearly matched for any other nominee.
All the other nominees will be confirmed.
#politics #USPol

I need to tell you a #customerService success story.
I ordered three cordless honeycomb blackout shades from #HomeDepot in 2020. They came with a 1-year warranty.
One of them broke in 2023. I ordered a replacement, thinking it was a fluke.
The second one broke a few months ago, exactly the same way the first one had. I started to suspect something was amiss but ordered another replacement.
The third one just broke a few days ago.
#goodNews
🧵1/6

On a list I'm on, someone asks for advice protecting a small trans support org worried about e.g. keeping their membership list safe.
Several people respond, "Talk to company <x>, they help non-profits secure infra."
I look at <x>. Its flagship product automates managing security controls in apps like Google Workspace and Slack.
I'm like, this isn't going to help when the subpoenas start flying. Y'all need to change your threat model.
#smdh #infosec #threatModeling #politics #USPol

I wrote back: "If I were running a trans support org right now, I'd be moving all non-public info and internal org infra onto a NAS in my basement with encrypted drives that require a long passphrase to be entered on boot, with offsite backups syncing to a similar NAS in the basement of another leader of the org. I would not rely on any cloud service to protect my data and my members from harm. The only thing I would put on cloud infra is a public web site that doesn't store any sensitive data."

If you're not reading @davekarpf you're missing out. He's one of the most clear-headed thinkers we've got right now.
Dave is absolute proof of why the world needs historians. He understands shit in a way that very few people do, and he's superb at conveying his understanding to others.
#politics #USPol
Ref: https://davekarpf.substack.com/p/charting-the-path-forward-some-things

It's been the honor and privilege of a lifetime to be at the U.S. Digital Service serving the American people in my role as the Information Security Lead for VA.gov at the Department of Veterans Affairs.
I'm highly regarded there and wish I could stay, as do my superiors and coworkers. However, the substantial uncertainty surrounding the presidential transition exceeds my family's risk tolerance threshold, so I probably need to step away.
#JobSearch #GetFediHired #infosec
1/2

The #GAO recently put out a draft report about the challenges faced by several federal agencies, including the #VA, maintaining an effective cybersecurity workforce.
I had an opportunity to review and provide feedback about the report, and my primary feedback was about two problems the report didn't even touch upon; indeed, the recommendations in the report arguably exacerbate these problems. Here's what I wrote about.
#CivicTech #GovTech #USGov #infosec
🧵1/4

First, when GAO and NIST require centralized management of the cyber workforce, they create a perverse incentive for departments to centralize the workforce itself, not just its management, because it's easier to centrally manage a centralized workforce.
This results in departments failing to recognize and act on the importance of embedding cyber experts throughout the department.
Recommendation: Every IT-focused office anywhere in the department should have cyber staff.
🧵2/4

Second, when departments use "tricks" to fill cyber headcount, including, e.g., hiring inexperienced people and training them on the job, they are self-sabotaging efforts to build a competent cyber workforce. Three reasons:
1) Cyber is no different than any other profession: not everyone will be good, no matter how well they are trained. It's hard to fire government employees. If you hire someone who turns out to be mediocre, then you're stuck with mediocre.
🧵3/4

2) Competent people don't like working in environments with incompetent people. If you staff up with mediocre people, you drive good people out.
3) When competent cyber people are forced to spend time on training and on making up for the inadequate work of mediocre colleagues, it saps their productivity.
Recommendation: Prioritize hiring good people, increasing salaries if necessary to attract them, not on filling seats.
🧵4/4

P.S. I _passionately_ hate the terms "cybersecurity" and "cyber" and strongly prefer "information security" and "infosec", but that battle is long over in the federal government, so I reluctantly go with the flow when I'm communicating about it in government contexts.

Here's a piece of #freeAdvice for #startup #CEO's…
If you're acquired, make sure you get an email out to all your shareholders, a.k.a. former employees with exercised stock options, about the acquisition _before_ the law firm handling the acquisition sends them email containing the code they'll need to access their stock option payout.
In other, definitely related news, my former employer #Numerated has apparently been acquired by #MoodysAnalytics, and I'll be getting some money from my stock.

Follow up on this: I received an email message from "PNC Paid" with instructions for using the code I was emailed previously to start the process of receiving my stock payout.
Then I received a _second_, nearly identical email from "PNC Paid" a few hours later, sent to a different email address of mine, with a different link in it. Which is problematic because the email claims the link is customized for me.
(continued)

I tried to use the link in one of the emails and the code previously sent to me to start the process, and I was blocked when the site claimed it was sending an authorization code to my email and then… just didn't. I _know_ they didn't because I run my own mail server and I can see from the logs that there was no attempt to send me an email containing a code. I waited until that code timed out and tried again. Again, no code email was sent to me.
(continued)

I then tried using the link in the _other_ email from PNC Paid to see if it would work any better. It did not; again, I received no code.
I emailed the people orchestrating all this and asked for assistance. They responded, "PNC initially got a bounce back from this address, which I imagine is the root of the problems. I’ll ask them to reach out directly to assist."
Which is bullshit because my email server works perfectly fine and does not bounce legitimate emails.
smdh

It looks like PNC Paid is using #ProofPoint servers for its outbound email delivery. I know from personal experience that ProofPoint absolutely sucks at email delivery, so perhaps that's part of the problem.

Note that ProofPoint, A SECURE EMAIL COMPANY, runs mail servers that are incapable of negotiating non-deprecated TLS ciphers:

STARTTLS=server, error: accept failed=-1, reason=no shared cipher, SSL_error=1, errno=0, retry=-1, relay=mx0a-000ade01.pphosted.com [205.220.165.107]

#infosec