Notices by Insecurity Princess 🌈💖🔥 (saraislet@infosec.exchange)

There should be something like a nuclear clock that measures gamma emissions, but instead it measures the steady rate of women leaving tech

Every month it is a little more tempting to walk into a forest, curl up under a tree, and become part of the mossy forest floor forever

@emily_s exactly

Maybe a "girl-ger" counter instead of a "guy-ger" counter 🙃

★ Do you get excited or upset about AWS SCPs, or GCP Org Policies?
★ Do you have experience developing software to solve cloud security challenges?
★ Do you downplay your cloud security knowledge but actually you know a lot of niche oddities of cloud IAM?
★ Do you like working in diverse security teams that care about your wellbeing?
★ Do you want to get paid to work on cloud security for one of the most sophisticated AWS environments in the world?

I'm hiring an L5 (mid-late career) cloud security software engineer for Netflix Cloud Security! I'm looking for someone with skills across cloud security, cloud infra, AND software engineering, and would like to see at least one of these skill areas:
• Experience building secure-by-default controls for Infra-as-Code (IAC) tools such as Terraform
• Experience building robust systems or easy to use abstractions for AWS native services such as EC2, Lambda, S3, SNS, SQS, DDB, etc.
• Experience leveraging AWS Config, Cloud Control API, CloudFormation, and CloudTrail
https://explore.jobs.netflix.net/careers/job/790304450320-security-software-engineer-l5-cloud-infrastructure-security-usa-remote

Netflix Cloud Security has industry-leading cloud security capabilities, and one of the most sophisticated AWS environments in the world. As a manager, I prioritize inclusion in order to maintain both the wellbeing and productivity of our diverse team. We hold folks to delivering high quality work by creating environments where you can operate to the best of your ability, through work-life balance, expecting folks to take ample time off (~6 weeks, but no one will track it). I'm happy to talk about this role and about how I manage teams — e.g., my Explicit Expectations and my commitments to my reports. https://managinginthemargins.com/explicit-expectations-leadership-by-example-edcb451abfb4

I'd love to hear what perspectives, skills, and experiences you could bring to our team! [This role can be US remote or office, with a distributed team across the US]
#Hiring #FediHire #CloudSecurity

RE: https://infosec.exchange/@saraislet/115409648180155252

I should write a talk on cloud security vs bear metal security

Something like this:
"I'm Sarai Rosenberg, and I've been responsible for securing one of the largest cloud platforms in the world, and I've also been responsible for securing one of the largest bear metal platforms in the world — and here's why you should just turn everything off permanently: because, let's face it, you're never going to be stronger than the bear."

@skinnylatte do you have any favorite (shareable) stories about dating or falling in love with your wife?

@mk30 pretty clear
https://www.vanityfair.com/news/story/charlie-kirk-tyler-robinson-memes-meaning

Every company that has ever been involved with fascism, slavery, or exploitation of labor should have open statements like this on their website

But I'm impressed that BMW is this blunt about it — and has actual pictures of Dachau
https://www.bmwgroup.com/en/company/history/BMW-during-the-era-of-national-socialism.html

Free advice: When something Not Great happens that's relevant to Black folks or Jewish or queer or Arabic folks, such as hate crimes or laws restricting civil rights…

…please check in with your friends and colleagues who might be emotionally affected even if they're not directly connected

Sharing kind sentiments is as easy as "I heard about some recent events. You don't have to say anything, but I'm thinking about you and I care about your well-being ❤️"

(an opt-in offer, without forcing a conversation)

@grampajoe it doesn't really matter what you call it, the point is that it isn't easy to distinguish Signal from Whatsapp based on superficial qualities like "is the user required to pay money?"

"If a product is free, then you're the product"

Signal is free
Linux is free
Shutting up is free

I'm starting to think this adage isn't accurate

I am tempted to create a "Death Timer" tabletop game.

Each round (week), every player who has done something risky rolls dice to determine how many years they remove from everyone's life around them. If they consistently wear a well fitting KN95+ mask in any indoor space near other people, remove months instead of years.

If you are ever in the same room with a player who has rolled dice in the past week, you also have to roll dice. This condition stacks.

I hate playing this game where X event means avoiding anyone who attended that for 2 weeks, and then for the following 2 weeks avoiding everyone who spent time with anyone who attended it

Which means a month has gone by, and there's another event

I'm already masking in any crowded/risky indoor spaces 🤷🏼♀️

Oh wait sorry, that's not an original idea, that's just COVID and we're already playing it. 💀💀💀

Here's your annual warning to beware hanging out in person with Defcon attendees, because many of them have returned with asymptomatic COVID infections.

As in every year since 2021, Defcon is a super spreader event. Many COVID infections are NOT symptomatic: not showing symptoms does not guarantee not carrying the highly contagious virus.

Or, if I really wanted to blow up some (personal) cloud service bills, each instance could provision two new instances before the new instances tear down the previous instance 🙃 because what if we fork bomb the cloud?

I wonder how far it would get before someone at AWS calls me to say, "hey Sarai, cut it out"

And the real question here — which part of AWS would call first? My guess is that it would hit IAM limits before it hits compute or API limits, but if I designed it to create new accounts for each instance I could probably hit some AWS Organizations limits

So I had this terrible idea a few years ago to write some infrastructure automation that provisions a new compute instance, sets up secrets storage, configures IAM roles, authorizes the new instance to be able to provision new instance and roles via infra-as-code automation, and then the new instance tears down the instance and roles that created it, before then creating its own new compute instance, etc

Like a self-propagating glider in Conway's Game of Life, except with cloud infrastructure

@skinnylatte is that equivalent to "being in the queer community" in Monterey?

I need a website that's like "Does the dog die?" but for whether a comedian is racist/homophobic

I have a much wider and wiser perspective now: The tools developed by my teams are operated by them day in and day out, used by thousands of engineers daily, maintaining products that are used by hundreds of millions of customers night and day around the world