Don't just have a dedicated area, make it a place you want to work from. It seems obvious, but once you're working from home, it's easy to just cobble together a workspace in a room and call it an "office". Your office should feel comfortable, a place you want to spend a good amount of time in, but is not distracting. At the end of the day, it should also be a place you leave in favor of living life. I wrote about my home office just in case you want some ideas, https://medium.com/@9bplus/my-home-office-f531f662fc51. Been working from home for 2 years now.
“That’s one of the problems he seems to be grappling with: more money, generally, means less struggle, and if it’s struggle that made him, how does he find that going forward?”
He didn't get a terminal cancer, I remember with all his money he went the looney way of treating cancer and then it was too late for a proper treatment. Money does gives you opportunity to get better healthcare that the mere mortals can only dream of.
By simply reinvesting his money into the economy via stocks and bonds he is contributing the making the world a better place.
Market economics has been lifting the world's humans out of poverty at an alarmingly fast rate since 2000. You'll never hear about this in the news of course.
Campaigns should be finding ways to work with professionals from the cybersecurity sector, not looking for ways to bolster defenses on their own. The adversaries these groups face far exceed the norm when it comes to industry standards––your security admin from off the street is going to be no match for a well-determined government. You need seasoned professionals who have background across active incident response, defensive efforts, intelligence and general best practices to even stand a chance.
People who match the description above don't need to be found as much as they need a point-of-contact to campaign staff. Many of us are more than willing to dedicate the time and resources needed to advise those who wish to take security seriously, free of charge. The issue lies in the shared opaqueness of the two parties that must come together; neither know quite who to contact and both are unsure how to engage. We should not let a lack of understanding get in the way of protecting our (anyones really) election process.
That's a great way for campaigns to get lots of WAFs, intrusion detection systems, endpoint agents, and vulnerability scans. But what campaigns need is actionable advice that breaks phishing and attachment attacks. For that: they should use iPhones and, when they use their desktop computers, Yubikeys. You don't need professionals from the cybersecurity sector to make that happen (although I am one of those); you just need someone to buy a bunch of Yubikeys and spend 15 minutes with the campaign showing how to use them and telling them to be afraid of their desktop computers.
I agree with your general sentiment, but if it were that easy, we wouldn't even be having the discussion. Nation states going after a campaign are likely to succeed, it's limiting the exposure if they do. To your point, there are a number of no-brainer processes or technologies to make those compromises difficult or severely limit the damage and many do not require much to put in place. You do need someone on-staff though constantly monitoring and enforcing best practices.
Campaigns :clap-emoji: never :clap-emoji: have :clap-emoji: this :clap-emoji: person :clap-emoji: on :clap-emoji: staff.
You really have to get a sense for how ragtag a political campaign is. Startups --- themselves pretty ragtag --- are raising funds and building for an imagined future in which they're big. They might engage professional IT and security (though many don't). Campaigns aren't like that; every single one of them will be "out of business" within a year and a half. They have minimal infrastructure and a mostly volunteer staff, and there are many hundreds of them every cycle.
At best, you might suggest that the upstream service providers for campaigns, like NGP VAN, should get better at security. The DNC, for instance, has an experienced CSO. But that CSO can't do all that much for individual campaigns.
> you just need someone to buy a bunch of Yubikeys
This is so wrong it's hilarious. I've been doing computers for forever, and "security keys" are STILL a universally lousy user experience.
What happens when you lose one? How do I install multiple keys? How does their manager revoke their keys when they leave the company? And where is the server that controls all this, and how do you administer that? I could go on ...
If you have any pointers to tutorials how to do this, I'M ALL EARS. Seriously.
The purpose of a U2F key is to break phishing. You want users to use them as much as possible (on computers), but you do not depend on them being the only second factor.
So you can buy and enroll 2 keys, or just do what Google forces you to do: enroll an additional second factor, like a code generator.
I do not understand your revocation argument at all. When you let a staffer go, you lock their account. You do not care about their keys.
The word "passion" is charged these days, but as someone who has successfully completed a number of long journeys (opensource projects, sale of company, 15 years of cardio, etc.), I think that has been the key to my success. In other words, you have to love what you are doing and then your interests will dwindle less.
Even with love, it can be difficult to remain focused. A trick I do when I run is to constantly recalibrate my goals as I am going. If I am having a hard time a few miles in, I tell myself to get to the next quarter and then the next until it's a half. Eventually it's a mile and I start again if I need to or expand scope. I will apply this same technique to life and have found it can be very useful.
If you've tried all of those, consider the process of abstaining from something or extreme focusing for a set period of time, say drinking alcohol or performing a 1 min plank every day for 30 days. I will do these exercises and the feeling I get from them is similar to the dragging feeling at the final 25% of a project. It conditions you to push through it because at the end of the day, it's only 30 days.
And I guess as a catch-all, if you really want to see it through, make that your goal––To complete one single project from start to finish, no matter what.
While it's expected a technology company dealing with communication would be the target of external threat actors, I think there's value in Slack being very clear that eliminating the risks from a strongly motivated actor is not completely possible. As commonsense as that would seem, most of the public do not have a strong grasp on these more advanced cyber actors. What's nice in being proactive is that it opens up a proper conversation prior to a breach (yes, I know they were breached before) and could get us closer to coming up with a better solution for dealing with these attacks.
The security market is insanely hot right now and will continue to thrive. From my perspective, we are reaching a point where security is seen as a commodity, not some optional process––everyone needs to know about security, even if they aren't working in the field. From a job perspective, schools are not able to keep up with the demand and even then, those leaving academics are not showing strong practical skills they can apply.
SysAdmin/SRE/Dev is the perfect sort of person to transition to security. You are going to think about how the system functions, what is running on top of it and how to ensure it stays online. When I interview candidates, I like see an alternative background as it means that person is going to bring a new perspective. "Security" as a job doesn't really make as much sense to me––you specialize in a given area (i.e. network background folks may maintain appliances, rule sets, detection signatures, etc.) and apply security to that area. I see your area as a means to solve a lot of security problems. Configurations, deployments, etc. can be checked in and accounted for with code instead of relying on people; there's massive power in that.
When it comes to certifications, I think there's two schools of thought. There's folks who look at the paperwork and make sure you can check the box, giving way too much value to certifications. For those who have been around a bit, they see the certification as practical, though no substitution for real-world experience. If you are being cost conscious, check out some of the free resources online for Network+[1] and Security+[2]. The important take away in those materials are not that you _need_ a certificate, but that you should understand the content and be confident in speaking out it.
If the red/blue side is more your style, I can't recommend enough to check out the Offense Security courses [3]. The tool set is free, the course is reasonably priced, it's a lot of fun and will give you real-world experience that is far more favorable than the standard certificates. Skip the whole CEH program as it has a poor reputation.
You mention six figures, but don't provide a scale, so it's hard to know how much a pay-cut you would potentially take. That said, security pays well and it's not uncommon to see salaries in the ranges of $100-200K even with less experience. All salaries are relative, but in general, a lot of my peers are not exceeding 200K on the base, though clear a lot more when factoring in other incentives like stock, or bonus.
Background: Been in security my whole career (started in networking and morphed into security) totaling close to 15 years. Like you, I have a set of skills outside of security (sys admin, networking, dev) and it's played in my favor a lot. Reach out to me direct if you have more questions!
Agreed. I'm only about 2/3 the way through it, but a lot of comments in this thread, and the article itself, seem to go against what he says. But, he does mention that sleep leads itself to a host of other issues, and that's what could cause the death. As to all the other claims, well, we don't really know how sleep deprived we are, as he mentions.
During the early part of high school, a few friends and I began attending community college night classes for subjects we got exposed to in our day classes. By the time I graduated, I was half-way through a AAS degree and considered continuing locally a no-brainer.
Ended up transferring 70 credits or so over to a four-year institution 1 year after graduating high school and managed to walk away with a BS degree earlier than my peers and with no debt. Without community college, there's no way I would have achieved this; I owe a lot to that part of the system.
For many years, I felt like an imposter because of my community college background. The irony in it all though was that for a much cheaper, often more flexible schedule, and sometimes better teachers, I walked away with a lot of the same opportunity as my peers. Naturally, my "network" wasn't filled with ivy-leaguers, but I'd later rub shoulders with them in my employment and be considered equal.
I'd assume so. More potential fake "subscribers" mean more bounced email and higher volumes which could be used as a early warning indicator for spam or reputation flagging. Slightly related, but I've noticed countless delivery issues with Mandrill, Mailchimp's transactional service. Their portal claims messages have been delivered, but many organizations relay back to us that their message never made it past the mail gateways.
