Interested in joining a world-class security team Stripe? I am hiring for many interesting security roles. Do you bring low ego/high empathy? Do you have great engineering taste? Do you know how to build scalable systems and the value of simplicity? bit.ly/ZfNa1

"Implementing Insider Defenses," by Eric Grosse Eric Grosse, Fred Schneider Cornell University, and Lynette Millett National Academies, on #benefits and #challenges of involving people in cyber #defense bit.ly/32OWZJL. And video on Department of Defense 🇺🇸, private sector practices bit.ly/3xAxHNM

Surprised this Gosler interview has so few views. Trust me, this guy knows his stuff. youtube.com/watch?v=Be0wvx…

Prepare them young. lcamtuf

Thanks @[email protected] -- Follow me there for arstechnica.com/information-te… and earlier articles about FIDO. In January I ranted in n2vi.com/Auth.pdf about some related issues, in an effort to help OMB strengthen federal agencies' logins.

IST continues the design development for CATALINK, an additive 21st century nuclear crisis communication solution that can be used in the lead up to, during, or after a crisis.

Kudos to Yubico for this program and for their partnership with Hideez to equip Ukraine. #YubiKey is the single best thing ordinary folks can adopt to protect accounts they care about.

As the #NPT2022 begins in New York this coming week, Institute for Security and Technology is excited to announce support from GermanForeignOffice for our #CATALINK initiative. securityandtechnology.org/blog/the-germa…

Federal prosecution of Joe Sullivan in the Uber incident is unfair and foolish. 1/9

At dispute is whether, after data was deleted, to classify as breach + extortion + ransom payment or as vulnerability demonstration + pressuring a vendor to fix their security + bug bounty. It can be argued either way. 2/9

It would be good if Congress created crisp and workable definitions, but they haven't despite trying. Alternatively, it would be ok for a series of court decisions over time to create law by setting civil fines against companies. 3/9

To jump to felony conviction of an individual is unfair. To selectively prosecute only one person for actions within existing prevailing norms is deeply unfair. 4/9

Years ago in that role at Google, I argued for always going public whether breach or bug. The temporary pain was outweighed by the long-term trust it built with customers. This was not a popular or universally-accepted position. 5/9

But I was in the privileged position of a fantastic security team with fantastic support from management. Many CISOs are not so lucky. Infosec is hard, rules are murky, resources are limited, and facts are uncertain or late. 6/9

Federal prosecution here is foolish as well. The enemy isn't Joe Sullivan, the enemy is GRU and CCP and NK and ransomware gangs. Start putting your allies in jail and you'll have fewer allies. 7/9

Various agencies of the federal government have done a lot of bad things in infosec over the years. For me, this prosecution is the last straw. 8/9

I hereby pledge that I will never again voluntarily help the feds with anything infosec. 9/9