shortridge

shortridge, 4 months ago

@bynkii there’s such a fucked up authoritarian streak in cybersecurity culture. If there’s one thing I could change, it’s probably that.

My jimmies are rustled just reading that exchange

shortridge, 4 months ago

@Kensan I agree. 99% of the time I feel like what I say and write is extremely obvious, and yet so many people in infosec are incensed by it.

shortridge, 4 months ago

@Kensan 🎯 yes, they usually feel personally attacked (although will rarely admit it). As to why… I have my armchair psychology analysis I often put in my blog footnotes that can summarized as “an industry that has self-selected for psychological insecurity for a long time.”

shortridge, 4 months ago

@Kensan I agree entirely, it’s why I bring up that SREs also have to deal with counterfactuals in their work in my blog post from a month ago or so… it isn’t the “gotchya” infosec ppl think it is

https://kellyshortridge.com/blog/posts/cybersecurity-isnt-special/

shortridge, 4 months ago

@Kensan you’re gonna love the book :)

shortridge, 4 months ago

@kingbeauregard @Kensan yep, there are quite a few overlooked metrics that can proxy for, “are we making other teams miserable?”

help desk tickets related to security policies; temporal and spatial backlogs (shoutout to the 6 month security review backlogs I hear about all the time); % adoption of a security tool / workflow / other thingy (bonus points for it captured over time — eg does it stagnate?), etc

and one I especially love, per @geoffbelknap, is capturing the security team’s NPS

shortridge, 4 months ago

@hazelweakly @rpetrich yes please!! the dopamine hit from seeing ppl publish their Deciduous trees in the wild is especially satisfying

shortridge, 4 months ago

if you want to still be sneaky, hide your critical passwords (and backup MFA codes!) behind a photo frame or in a random book or whatever, but tell whomever you trust most where that place is, or at least write it down in the place they're most likely to look if you pass unexpectedly.

ask the same of your loved ones, too.

no one deserves the pain of navigating customer support trees and the other kafkaesque hells of accessing accounts when they're already submerged in grief. loving is leet.

shortridge, 4 months ago

@Donatella that, at a minimum, yes. safety deposit boxes can also work.

but I still believe the most compassionate thing is to make them accessible elsewhere, like in one's home. when there's an unforeseen crisis, not everyone may know who the lawyer is and may need immediate access into accounts (eg for bloodwork results from other providers, to cancel appointments and other financial burdens, etc.)

shortridge, 4 months ago

another key takeaway for me from excavating the digital remains of a loved one who died suddenly:

usable security or bust. in my case, the iOS Password Manager saved the day because it stored their creds by default as they used their devices.

...but they found the 2FA app so confusing that they offloaded it and never saved the password to it.

SMS 2FA may be more insecure, but it confused them less and meant my access to their phone = access to 2FA. Security isn't the only thing that matters.

shortridge, 4 months ago

@tyler the non-techy vs. techy approach is so important.

because if you're a techy person and have an unexpected health crisis or pass, the non-techy people who care about you will struggle to navigate everything, compounding their sense of helplessness.

and, in my case, I deeply regret setting up an important account for them (photo storage) with app 2FA vs. SMS 2FA. It clearly confused them, so they offloaded the app and it means I still don't have access yet (but working on it).

shortridge, 4 months ago

@wendynather precisely. we live in a stochastic reality and must prepare for that, even if it creates some existential dread in the meantime.

that's why I don't recommend just putting it in your will, too; put it somewhere in your residence.

(and like, if someone is breaking in for the purpose of accessing your devices, they can just wait until you're home and break your kneecaps anyway if you haven't written it down. for the vast majority of ppl, it's such a silly threat model)

shortridge, 4 months ago

@avoidthehack it's true, a "in case of death / emergencies" file or box is so useful. and usually it's not that difficult to obscure it within a residence.

no one wants to think about their demise or incapacitation, but it's worth preparing the basics our trusted humans might need in that situation... and organizing it in a way that assumes those humans will not be thinking clearly, either.

shortridge, 4 months ago

@sassdawe @wendynather this does look really useful, thank you for sharing it.

listing out subscriptions is useful for anyone, too. another thing I had to do was scrutinize credit card statements over the past ~12-14 months to enumerate services and subscriptions.

thankfully, this person purchased a lot of subscriptions through the App Store, which made it much easier to cancel.

most of the others had creds stored in their iOS Password Manager, so it was easier than it might have been.

shortridge, 4 months ago

@dan613 there was a very real moment when I told the deceased person's spouse that we might have to wait on cremating them to use their thumbprint.

thankfully, we guessed their device passcode correctly (it wasn't written down anywhere).

it's uncomfortable to think about this "use case" when designing or implementing, but sudden incapacitation can happen to anyone so imo should be taken more seriously.

shortridge, 4 months ago

@cy you are vastly overestimating the usability of yubikeys for non technical people, especially the elderly.

many elderly people no longer even have fingerprints, too

shortridge, 4 months ago

@nopatience it’s a Hugo theme with some personal preference tweaks. Theme iirc is called “hello-friend”.

Hugo is fine enough. Don’t love it but don’t dislike it enough to migrate to something else, either.

shortridge, 4 months ago

@chileannick that is such good intel, it’s now high on my list… pirate turtle omg

shortridge, 4 months ago

@duhanebel the EU may be one of the last places doing it. The two stamps total I have in my post-pandemic passport are from France and the Netherlands, so…

shortridge, 4 months ago

@mweagle @SteveBellovin @edavies @norootcause

I’ll also flagrantly self-promote by mentioning that my book on software resilience is fully aligned with the OP quote.

One of my goals was to banish “human error” as a “root cause” of cybersecurity incidents.

It’s an entirely unserious practice, and also reveals how ill-equipped the industry is to tackle more fundamental contributing factors, like system design.

book link: https://www.securitychaoseng.com/

shortridge, 4 months ago

@marasawr gods was it ever a slog. solidarity in righteous self-sovereignty in 2024 ✨