I know I am not the first one to say this, but there are a lot of very well credentialed people in tech worrying what would happen if internet giants collectively de-platformed a group who isn't right wing, while totally erasing the fact that it already happened to sex workers.
Lesley Carhart
@hacks4pancakes
ICS DFIR , martial artist, marksman, humanist, Lvl14 Neutral Good rogue, USAF Ret. Tweet *very serious* things about infosec. Thoughts mine. They/them
Lesley Carhart’s posts
How to tell when no women were involved in brainstorming a tech idea.
Replying to
This an extraordinarily inappropriate political use of a USG account.
When soldiers loot stuff that can be tracked on Find My, and take it to their base… twitter.com/juliaskripkase
This Tweet is unavailable.
If you’re angry for no reason you’re burnt out,
If you’re sleepy for no reason you’re burnt out,
If you’re irrationally mad and your work suddenly looks bad,
Spontaneously apathetic you’re burnt out.
In my life as a security professional, I have had exactly three IT friends / colleagues come up to me bragging about the secret digital surveillance they constructed to monitor their kids.
Every single one of them ultimately destroyed and lost their relationship with their kid.
Repeat after me:
I’m good at my job.
I’m smart &help others.
It’s OK I’m not an expert at every niche of infosec as long as I keep learning.
Replying to
Yes. It was the best choice. But I had confidence I was employable, for sure
Everyone shocked about a drop in US life expectancy while looking at their phone in 2AM instead of sleeping because they have to work 90 hours a week, and planning their meals of food that's 70% processed sugar because that's what's affordable at the grocery store on average pay.
Replying to
I’m so confused by this being from Getty and not
Escort services, but just to rent a man to stand there and nod sagely in a manly way when you are trying to negotiate to buy a car or hire a contractor as a single woman. 😣
One of the Anonymous accounts now has thousands of people leaving five star Russian-language reviews for random restaurants and hotels in Russia with facts about the invasion of Ukraine, to evade censors. 🤷🏻♀️🍸 It’s hard to keep up.
I’m very happy to announce I’ve accepted the position of Director of Incident Response for North America at linkedin.com/posts/lcarhart
Very hot take - your employer should never force you to use then install security monitoring on a personal device which can be legitimately used to watch porn, sext, perform financial transactions, call your sponsor, or anything else that you reasonably could be blackmailed for.
MySpace taught a whole generation of girls to learn to write HTML on their own terms outside of class and without parental pressure, and I sometimes worry if anything popular today forces young people to learn to build tech stuff other than video editing on their own anymore.
Stupid tech problems: I bought a new area rug, and have to get rid of it because my robot vacuum sees the abstract patterns as a cliff and can’t cross the room anymore.
I was going to come here to give a calm technical and legal context explanation of why this is an insane thing to pursue, but… yeah, okay. This works.
Tech people on Twitter be like, "just buy and install a pi hole to make your $2000 smart TV not play constant ads and narc on your viewing habits"
Things I wish we would stop saying in tech:
“She shouldn’t complain. We all got hazed as new hires!”
“He’s a wimp. We all did 70hr weeks and never saw our families!”
“Vacation?! I didn’t take a vacation for 6 years!”
Like, why are you defending horrible labor practices so hard?
I am tremendously honored to be named a 2020 “power player” in cybersecurity by SC Magazine.
Lesley Carhart: if the shirt fits, or even if it doesn’t, wear it scmagazine.com/women-in-it-se
I'm still trying to wrap my head around the sheer scale of the #Equifax breach. They might as well reissue SSNs to every citizen.
Buying a house requires me to shut off my security brain and make like 5 terrible security choices a day just to finish the process. Today I introduced a mortgage guy to password managers. He was using Excel.
Every couple years, someone reverse engineers a popular free social app, discovers it collects all the metadata it possibly can about your device and behavior, it blows up, everyone is shocked and promises to delete the app, then like 100 people do and people keep using them all.
This is a rare instance in which I’m very proud of Google. This feature will save lives, as these monitoring services are perpetually misused by domestic abusers. Google doesn’t know if you’re a helicopter parent or a boyfriend beating his girlfriend if she looks for a shelter.
Family.
There
Are
No
“InfoSec Rockstars”
I’m eating an entire brick of Target cheese after falling asleep at my desk again and being too tired to cook. I am a grumbly security janitor.
If someone not-sarcastically claims to be an “Infosec Rockstar” they’re selling you FUD.🤷🏻♀️
It’s 2022, and I just saw an adult cybersecurity person on LinkedIn unironically suggest installing Linux instead as a requested solution to securing a Windows server. Help me while I turn into a pumpkin, fly into the October sky, and implode into candy corn above the land.
I don’t know who needs to hear this, but you need to think of the pandemic as a long-term problem stretching well into 2021, read up on risk of activities and mitigations for you personally, and design a plan that allows you to keep your physical and mental health that long.
So many IoT problems source from us wanting the tech from the Starship Enterprise while forgetting our planet is run by Ferengi.
This tweet is for a specific type of person - especially young and hungry ones. I’m talking to the ones who jump in and quietly save things whenever their teammates and seniors drop the ball. Sometimes when not too much is on the line, you have to just let them fail.
When you absolutely have to swordfight heroically in a ballgown (it happens) cc
This is both satisfying and unsettling
Recognize the early stages of infosec:
“I just read the ‘top 100 passwords’ and they’re super weak!!”
“I turned on external logging and there’s all these brute force attempts!”
“People still use Java!!!”
“SHODAN!”
*Results may vary.
Ask your doctor if infosec is right for you.
Replying to
Ah yes. The old, “I suffered, so everyone else should have to suffer too”. It’s worked well for the measles vaccine.
The hacker / infosec Mastodon servers have really reached critical mass to contain useful community and information. If you haven't tried it out yet, I really recommend it. There's enough intel and news to be viable at this point.
The Venn diagram of people who won’t get the COVID vaccine during a society crushing pandemic because imaginary microchips, and the people who install Ring doorbells, post videos to NextDoor, and share facial data with the police is a circle.
Hear me out - what if we just leave Facebook dead and just like, null route them globally while they’re locked out of their offices and can’t see us?
I’ll add in my 15 years of experience and multiple civilian and military cybersecurity credentials to endorse this statement.
You don’t get to pretend it’s not eugenics when you force women of color to have a hysterectomy against their will, while at the same time I’m not allowed to get my tubes tied as a white woman at high risk of ovarian cancer because I’m unmarried and “MIgHt wANt KiDs lATEr”.
Remember how in TNG there was a mental health professional sitting next to the Captain on the Bridge, who went to all senior staff meetings and gave input directly to senior leadership?
Why can’t we be more like that?
My dudes, there are like only 300 of us in each cybersecurity niche and we *all know one another*. If you plagiarize our research, training, or blogs, we are going to find out before Judge Judy reruns end for the day.
I’m in this very serious management course and they told us to put a virtual background on today when we logged in. Everyone else has a pretty landscape photo. I chose the Star Trek bridge. It was apparently not the correct choice. This is all going really well.
It directly undermines the credibility of incredibly important work being done in national security and cybersecurity to protect our infrastructure and population.
Confronted the guy who was abusing the retail workers at the checkout for the first time. Absolutely gave him the third degree. Still shaking from that adrenaline.
The magical thing was that once I did, everyone else in line finally stood up to him too.
Replying to
Ehhh... it’s one donut, for someone already there. I mean... I think incentives are a good idea
Hey kids. I know the bad right now can get really overwhelming. Remember that everything you do, no matter how small, counts. Just try.
I'm just instantly blocking people who try to gaslight me this week, be it on infosec, minimum wage, natsec, or human dignity. Don't care if they're blue checks, execs, or have 8000 infosec followers. I'm all out of bubblegum.
I’m so excited for October to be over so I can stop being aware of cybersecurity.
Security does not mean privacy
Security does not mean privacy
Security does not mean privacy
Security does not mean privacy
Yea so tonight a junior infosec person called me.
He was struggling with a bad employer who was gaslighting him and not giving him any path to success.
I think my next talk needs to be about how to succeed in business as a junior infosec person.
LMK where I should submit it.
*goes to buy bus ticket*
*bus ticket site is down*
*can’t get to work destination*
Me: jokes to coworker that bus company is ransomwared
Coworker: texts that bus company is, indeed ransomed*
Me: WTFFFF
This is 💯 super duper salty, but I wish the people who shredded me in March when I suggested DEF CON go virtual would unblock me. Because the pandemic is still a thing, Vegas did open irresponsibly, and the DC crew have done an absolutely amazing job organizing a virtual event.
Merry Christmas to everyone except GoDaddy infosec leadership specifically.
Quote
With the holidays around the corner, GoDaddy employees received an email last week offering some welcome financial relief: a $650 holiday bonus.
Two days later, they received another email from GoDaddy:
“You failed our recent phishing test.” coppercourier.com/story/godaddy-
Alex, give me ‘the worst ML idea I’ve ever heard’ for 500, please.
Quote
Two US military experts have proposed giving artificial intelligence control over the nuclear launch button. @mchorowitz weighs in on the risks: "...training an algorithm for early warning means that you’re relying entirely on simulated data.” bit.ly/2ZodCg5
Next time you decide to not take a vacation for a year and work with the flu and don’t see your kids, please remember that people were beaten in the streets so that you could have weekends, corporations would take them away in a second - and replace you with a robot in a second.
My favorite hot take of the day is the Russian bots defensively claiming Russian industry can “just switch over to Huawei from Cisco” since the country has been cut off.I mean, I’ve seen companies postpone Cisco network *segmentation* alone for 20 years. 😅🍸🤷🏻♀️💀
A little holiday advice from Commander Pancakes. Shared it with a friend but I'll share it with you, too.
Oh no. The whole “Alexa is a spy tool” thing is making the rounds again. 🤦🏻♀️
Once again, reducing attack surface is awesome, but keep your panic relative to the fact you have a smartphone with a *hardwired area mic* that you use to view dubious ad services, in your pocket.
Hello, I would like to introduce you to the new plethora of free cliche hacker stock art, now *finally* available in a multitude of genders and skin tones. But still entertainingly cliche and extremely context-free.
Do you ever just ... want to lock a fully grown adult you genuinely care about in a classroom for 8 hours and just ... start from scratch with basic critical thinking, life skills, science, objective reality, etc?
Why am I sharing stuff about the dire financial state of the USPS as a cybersecurity professional?
Because I care about secure remote elections, and after years of debate and study we know of one way to do them well. That is the USPS. (fin)
Friend calls me, 9PM. “Hey, can you like, pretend over the phone to hack into a military database to prove to my 8 year old who can’t sleep that Jason Voorhees isn’t real?”
😑🤔👩🏻💻 Yes, I even grabbed a noisy keyboard.
My assumptions, whenever the following people say, "can we have a chat":
Boss: I'm getting fired
Direct report: They're quitting
Family: Someone is dying
Friend: I've done something embarrassing
Doctor: I in specific am dying
CEO: We're all dying
I don’t think it’s extreme to want my aircraft flight crew to be vaccinated against highly communicable diseases.
I found the house. It’s perfect! Wish me luck in offer / inspection, please!
Spent my weekend busting my butt to get new folks into our industry, and come back to more gatekeeping.
Know this:
You can succeed in and enjoy cybersecurity. Regardless of gender, race, background... Society and life may throw hurdles, but lots of us want to help you succeed.
Guys the roofers are replacing my roof and there is a secret 3x10 room walled off in my house
Is it only because I’m an infosec person, or does anyone else see an interesting ad for a product you actually want or need, jump through screens of hoops and then totally give up in disinterest when they require an email to get pricing or product details?
It’s a terrible, dark, deadly new era for women in the United States. More so for underprivileged and abused women.
365 days and -1/3 of my body weight later. I feel so much better.
Everyone is tired. The adults are tired. The kids are tired. The teachers are tired. The students are tired. Everyone is just tired, and companies and leaders just don’t seem to notice.
My new hobby is using spaces in passwords for supposedly secure cybersecurity applications and sites to see which ones break and how badly.
How utterly sad is your life and hacking career if you get super mad when people use a different text editor than you, like they don’t both write characters into files and then display them.
I would pay very serious and close attention to Mr. Nance. He is an eminently credible expert and I trust his judgement. Review your physical security plans at offices and data centers.
Quote
WARNING Followup: Specific targets being discussed by RWEs are HQ offices of @amazon, @Facebook, @Microsoft, @cnn, @MSNBC, @washingtonpost @nytimes, @Google facilities & staff. Assess plans as aspirational but quickly radicalizing armed supporters. #IncreaseYourSecurity twitter.com/MalcolmNance/s…
If this is it for Twitter, it has been an honor and a privilege to serve, shitpost, cry, and laugh with *all* of you pals for the last 12 years. Thanks for being an amazing community and for believing I was worth your time.
I guess I can tell now that's it is just about over.
I'm retiring from the USAF.
It's been a wild ride, but also my entire adult life. A long time.
My retirement ceremony has my D&D Dungeonmaster giving the invocation, and insane amounts of D20 party favors and Portillo's.
As promised
Quote
Replying to @hacks4pancakes @blowdart and @evacide
I mean, who hasn't worn a ball gown during a customer call?
Every few days, imposter syndrome hits me about some cybersecurity thing or another. Then I remember Rudy Giuliani exists and I feel much better about myself
Did the police write this article?
Is cat in your threat model? 😂🤔
Quote
My sister accidentally locked me out of the house so I went to check if the back door was unlocked and this happened
(TW abuse) I need to lay out a scenario for y’all because it’s it’s just not getting through some thick skulls.
You’re a young woman. For some reason you have an unplanned pregnancy. It’s not really our business, but maybe a date goes sideways and the dude takes the condom off.
By age 35 you should have busted your own computer by overwriting the registry at least once, then tried to play it cool.
I wish I could be friends with every single person in infosec.
I wish I could help all of you and make your lives better.
I'm just one, flawed human. I really do my best, but I won't be driven out of this field or off social media because I disagree with you or your friends.
PSA: Shitty frat boy behavior at tech cons *always* bothered and pushed away a ton of people, but for decades the only way to network and do the work you loved was to shut up and deal with it with alcohol or a therapist, because shitty frat boys owned such a huge market share.
All the other infosec 'influencers', it feels:
- impressive pro home gym
- posting workouts at 5am
- luxury car photos
- perfect candid head shots
Me, Pancakes:
- pro thriftin' at the Goodwill
- eating peanut butter by the jar
- accidentally ate a hair
- in my Honda
- lets Tweet
A friend in finance just asked me to put internet explorer back on her PC because the official usgov site she needs only runs in it, her help desk is outsourced and won’t help, and the only option she could do herself was doing her work on a personal Windows 7 laptop. Ah, yup.
20 years ago today, I was a young SQL developer just starting to go to some hacker stuff, and my friends and I were so-super-psyched to see the Matrix after it’s mysterious trailers.
That was a long time ago.
GIF
Unwritten guidelines for infosec Twitter:
- it’s a great source of intel and education
- most people are not being paid to provide you infosec content, so don’t yell when they don’t
- you can find a job here if you’re sincere
- there is shitposting
- most people like shitposting
You know how we’ve been asking to remove those “joined Signal!” messages for like one million eons do to cybersecurity and privacy concerns?
Today is the day my mom’s former number joined :(
To the person who refused to wear a mask around me indoors a week ago who has tested positive, caused me to drive 50 miles across Chicagoland to find a test center with any tests, miss work, and be quarantined waiting for test results for 4-7 days - thank you. This is a pleasure.
Incidentally my college debt *is* fully paid off, and I’d be thrilled to see my young students not have to be caught in predatory forever-debt.
Man... I don’t know how to break it to some infosec companies, but infosec is small and we talk, a lot. If you burn bridges by continually abusing your employees or acting seriously unethically, we all know within a few months. Heard some more awful burnout stories last weekend.






