These things are unfortunately useless for any political campaign I've worked with. I wish Google would work more closely with real candidates and their teams right to train them to secure up their standard Google accounts
-
-
-
Replying to @SwiftOnSecurity
A well-funded congressional campaign will have maybe six core people, a bunch of ancillary staff and a cloud of volunteers around that. Everyone has a fixed mental budget for 'security stuff' that you have to stay within, each ring of people less than the one inside it.
1 reply 3 retweets 20 likes -
Replying to @Pinboard @SwiftOnSecurity
It takes one bad experience with security restrictions for campaign to abandon them. So any setup has to be simple to set up, very resilient to failure, forgetfulness, and crotchety people who are set in their habits and simply refuse to comply with it
2 replies 2 retweets 23 likes -
Replying to @Pinboard @SwiftOnSecurity
I've found if you have a security true believer on the core team you can *just* get people on to Yubikeys, provided they can also fall back to authenticator, security codes, and app passwords. But it puts a large dent in the mental budget for dealing with security hassle
1 reply 0 retweets 17 likes -
Replying to @Pinboard @SwiftOnSecurity
Now here Google has rolled out a security key that is bulkier than the 'put on your keychain' yubikey, breaks open if you drop it, expensive, and (according to reports that may be out of date? tell me!) sometimes flaky with Bluetooth. And you can't get into accounts without it
3 replies 1 retweet 22 likes -
Replying to @Pinboard @SwiftOnSecurity
What I think Google should be doing right now is visiting campaigns, setting them up on security keys, leaving a free box of them for staff, and training people how to share documents safely without attachments. It should auto-move attachments (like from the DCCC!) to Gdrive
4 replies 16 retweets 59 likes -
Replying to @Pinboard @SwiftOnSecurity
It should also be offering people on political campaigns and journalists a point of contact, like a 311, for security questions. And handing out Android phones that are competently secured (even better if they decide to manufacture one). They need to act before November.
3 replies 1 retweet 27 likes -
Replying to @Pinboard @SwiftOnSecurity
Maybe I'm wrong about all this. But I've seen no evidence that Googlers are working in the field with congressional candidates, maybe the most at-risk cohort in the country. And I know for a fact that national Democrats are addicted to their attachments and will kill us all
1 reply 2 retweets 10 likes -
Replying to @Pinboard @SwiftOnSecurity
I run Google's customer engineering team focused on public sector. I can assure you we're actively trying to work with governmental agencies to protect the elections.
@Jigsaw is working hard to get individual campaigns protected.1 reply 0 retweets 0 likes
I'd be very happy to talk to you about this off Twitter. For whatever reasons, your work is not getting to where it needs to get, and time is short.
-
-
My DMs are open if you have ideas on how to spread this faster.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.