All of this - and then add that if youâ(TM)re hiring for Cybersecurity, itâ(TM)s a high stress environment (studies show that Cybersecurity has among the highest levels of substance abuse of any tech job), and often require people with BOTH high level technical skills (take a look at this code and review it for any SQL injection attacks is harder then Write code to query a table) and people skills (OK, now that you found the injection vulnerability, talk to the developer who wrote the code and teach them to write better code). For the right people, itâ(TM)s a fun area to work in, but itâ(TM)s a subset of all IT people.

Iâ(TM)ve been hiring people for âoecyberâ positions from before it was called that :).

Hereâ(TM)s some tips for anyone attempting to break into this segment:

1) Cyber != IT or development. Expect different questions. Iâ(TM)m unlikely to ask you to code anything during an interview. Iâ(TM)m going to ask you to explain the difference between Asymmetric Crypto, Symmetric Crypto, and Hashing. Depending on the position Iâ(TM)m hiring for, I may ask you to describe to me a vulnerability or two, nothing bleeding edge, but I might ask you to explain SQL injection.
2) Go watch some vids from infosec.org, talk to me about it, give me some reason to believe that Infosec isnâ(TM)t a port of last resort between your preferred IT/Dev roles, especially if you have 0 prior infosec experience
3) Infosec is about systems. âoeFull stackâ and beyond, Iâ(TM)ll often ask âoeSo when you enter www.google.comâ into your browser, what happens? Best answers go wide and deep, they talk about HSTS, and get down to ARP packets and BGP. I donâ(TM)t expect you to explain packets at the bit level, I like to know you understand the whole ecosystem, because often security is about finding a vulnerability on one layer of the stack to attack another level of the stack.
4) Understand what things like encryption is useful for and what it isnâ(TM)t. A typical question is âoeWhat does whole disk encryption protect against?â Iâ(TM)ll often follow up with âoeDoes it protect against SQL injection?â Iâ(TM)m looking to see if the candidate understands how things work from an architectural level. (Spoiler: hardware disk encryption protects you from Tom Cruise hanging from a ceiling tile and stealing your drives. Thatâ(TM)s it. If encryption is transparent to a layer, it probably doesnâ(TM)t provide any protection at that layer.)
5) Risk is a practical concept for Cybersecurity. If you understand risk, it makes it a lot easier to make decisions that involve trade offs (which is basically all of them in Cybersecurity).

I have sat through a lot of interviews where candidates thought that BASE64 was a good way to encrypt data. Do some learning before you apply and both you and the interviewer will have a better day :).

This. Sneakers is at least partially responsible for my career choices over the intervening years. I remember commenting to the other geek I went to see it with that assuming one allows the premise (that it's possible to break RSA with a hardware black box, which was more outlandish in a pre-Quantum Computing world) the rest of the tech actually held together pretty well. Out of all of the 90s era movies, it'd be the one I'd not be horridly embarrassed to watch with my 11 year old daughter.

Rewatch it very year on the way to defcon. Gonna miss that pilgrimage this year, as defcon is cancelled :(

I know the current sentiment among teen edge lords is "ACAB" but this crosses way way beyond the line of ethical hacking and goes straight to gutter trash. Really disappointed to see anyone that's happy about this. A lot of completely unrelated data that potentially exposes abuse and crime victims. This is no better than the garbage dumped by Manning & Reality Winner.

This has always been the case, try publishing medical records, state secrets, etc. Ask Edward Snowden about how that worked out?

Now those are on a different level (though arguably the medical files does come closer) but the point is that there has always been "proven facts" that if published will get you into hot water.

https://github.com/zoom/zoom-e... is a pretty good start IMO. In my day job that would get you a pass to a deeper architectural review, for sure.

That sounds like it's instantly more expensive than.. well, pretty much everything. I'm surprised they went with such a low limit.

6% normed against what? What is the usual turnover for April and May? It's not 0 normally surely, without some context of the normal turnover, how am I to know if it's 25% higher or 100% higher, hell it might be lower for all I know.

They need to, and it's up to us to continue to spread the valid science instead of the utter trash and lies that the anti-vaccine lunatics continue to share.

We *have* to keep fighting them.

I am so sick of the anti-vaccine losers. That trash called "Plandemic" is going to pop up again when the full length version comes out. Problem is, that the antis now think there's some deep state agenda when a private services removes objectionable and potentially harmful content.

Youtube has a lot of stuff that they still need to remove, though. Start by getting rid of the 9/11 truther garbage, and any trace of Infowars.

Missing from the fine summary:

"Fleeceware apps take advantage of the fact that app makers can still charge users even after users uninstall the app from their devices.

App store policies allow app makers to create their own trial cancelation steps, and some app makers won't interpret uninstalling the app as a trial period cancellation but instead force users to go through complicated procedures."

So you can totally cancel, just proceed to the cellar, with a flashlight, without the stairs, and place your request in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying "beware of the leopard". Easy!

Because 1080 people died from this thing in the last 24 hrs, and the infection and death rates are increasing logarithmically, and we have no particular reason to think that it'll stop before its infected 50% of the world's population (low-ball on herd immunity numbers). Which if trends continue will be 427,471,737 deaths. So there's only one number in the equation we can impact. R0 is the obvious one, if we can slow the spread enough, eventually it'll die out. Look at Singapore and China if you think that's not possible - it's not easy, but can be done.

If you think that the China model of outbreak stopping is maybe a bit extreme (hint, if you think NY's measures are bad...), the other option is to slow R0 less, but still enough to keep us from running out of medical stretch capacity and lower that 11% current fatality number, which is largely impacted by Italy's epic fail at managing their R0 numbers, much like you're advocating we adopt, so that the number of fatalities decrease.

All numbers taken from https://www.worldometers.info/ and I freely admit that I don't know everything, and can't see the future any better then anyone else, but those look like the best data I can find.

Now MAYBE we get lucky. MAYBE we find a good treatment in time. MAYBE it's seasonal and gives half the world (the one we're both probably in given we're talking on Slashdot) a break for 6 months. Maybe it mutates and becomes less infectious/less lethal.

I HOPE we get lucky. I PLAN that we won't. The thing about logarithmic/exponential curves is that you have two options - Overreact or Under-react. The thing about pathogens is underacting costs lives, you can ask Italy about that, there's no end of online sources about what goes wrong when you under-react to this bug.

So PLEASE over-react. I don't know you, but you're a human, and I want you to not spend weeks in a hospital bed, or see a loved one there. In the 1918 flu, everyone who survived knew someone who died. I don't wish that on anyone.

Min

Well, oddly enough I've been teaching that for the last 11 years, and it doesn't exactly fill her whole day. She helps me make dinner, etc already. You sound as if you thought I wasn't already doing those things. The kid can also solder, program an audreno, pick locks and has a better idea of how to secure herself on the internet the most adults. She also has learned to trust experts to teach her things, and not her eccentric old man.

There are things I'm expert on, but those are not all the things she needs to learn.

The original question is "is this necessary?" and the answer is yes, it wasn't "does this abdicate you of your responsibility as a parent?"

Naturally there is, I could teach her myself, after teaching myself to teach. I could also repair my own car after teaching myself to be a mechanic, cut her hair after teaching myself to do that, etc. Or I could do what I do for the almost endless list of things I don't know how to do and pay for someone else to do them while I do the thing I've been learning for 25 years to do well. Not to mention I'd be pretty shit as a teacher, and am honest enough with myself to admit that. My daughter has had some awesome teachers over the years and I'm not egotistical enough to believe I could emulate their successes.

Unless the sucker mutates like the 1918 flu did and increase its mortality rate.

I agree with the premise in most cases. I like the http://www.moserware.com/2009/... solution to this problem: "I ____ promise that once I see how simple AES really is, I will not implement it in production code even though it would be really fun. This agreement shall be in effect until the undersigned creates a meaningful interpretive dance that compares and contrasts cache-based timing and other side channel attacks and their countermeasures."

Now having seen https://en.wikipedia.org/wiki/... talk a number of times over the years, and while not being ANYWHERE near their caliber, I am generally considered to know what I'm doing in information security.

So FWIW, my family uses Signal, my circle of clued professional acquaintances use Signal, and we use it at hacker conventions.

So I think at least for my money, we can waive Moxie's need to actually perform the interpretive dance. :)

Obviously someone needs to build the next generation of cryptography. Otherwise we'll eventually lose the eternal battle between offense and defense. We need experts. Moxie's one of them.

Min