1/ I feel that any textbook on "Cybersecurity 101" should start with stories like this. Politics is more integral to cybersecurity than other subjects. https://twitter.com/zackwhittaker/status/1265704383104405505

2/ Ideally, cybersecurity should simply be about risk vs. reward, costs vs. benefits. Instead, it's become a moral fight. It's your moral duty to be secure even if you get no benefit from it. It's a moral transgression when you don't do what you are supposed to.

3/ Take Richard Clarke's quote that you "deserve" to be hacked if you spend less on security than free coffee for your employees -- "deserve" means "punished for your moral transgressions".

4/ Most all security guides tell people to choose "strong passwords". No, it's not really a thing. It's a trope, the feeling that the flaw is moral weakness, and the fix is to be strong.

5/ The real thing about passwords is "don't reuse the same password across all your accounts". That's so important that you can pretty much forget every other recommendation about passwords as long as you remember that one thing. But it doesn't fit the morality trope.

6/ The term "technical debt" is almost always used incorrectly, because people believe "debt" is morally bad and must be avoided. Bean counters know that "debt" is capital and must be embraced.

7/ Despite people like Bruce Schneier spending so much time criticizing "snake oil" in the cybersecurity industry, it's still a fixture behind everything we do. Technical battles take back seat to non-technical battles.

8/ No matter who good my product, as a vendor I'm ultimately selling to a largely non-technical market where buyers can't tell the difference between my product and snake oil.

9/ Why, then, as a vendor should I ever invest in technical quality? That seems like a foolish strategy. Luckily for the industry, there are many vendors who nonetheless produce good products despite the foolishness for doing so.

10/ You don't know what happened with the notPetya or Mirai worms. That's because the political narrative of what people want to discuss has wholly displaced the technical evaluation of what happened.

11/ With notPetya, what people want you to know is that it was based on a vuln weaponized by the NSA. What you should care more about is the supply chain risk of autoupdate, and the flaw in Windows networks that lead to lateral movement via PsExec.

12/ With Mirai, what people want you to know is that IoT is insecure and we need political solutions mandating security. The reality is that since Mirai, over 10 billion IoT devices have been added to the Internet, while the problem Mirai exploited has decreased.

13/ I am good. Therefore, if you oppose me, then you must be bad -- unreasonable, criminal, with some sort of evil agenda.

It's what politicians claim when people criticize them ('fake news'). It's what vendors claim when researchers disclose vulns in their products.

14/ Most everyone partakes in our increasingly politically polarized society, where it's less and less about underlying arguments/statements and more and more about simply what side you are on. The same is true of vuln disclosure.

15/ That's the political basis behind the original story at the top of this thread. It's not simply "shooting the messenger" so much that once you decide they are against you, then every action gets seen in a new light. https://arktimes.com/arkansas-blog/2020/05/18/governor-shooting-the-messenger-wrong-tact-in-arkansas-pua-data-breach-experts-say

16/ Is making trivial changes to URLs a violation of the CFAA's law against "unauthorized access"? such as changing "foo.php?articleId=5" to "foo.php?articleId=6"? The answer depends upon politics.