The BsidesLV "Cavalry" track was exactly that, how Policy has been changed due to significant efforts by technical people, such as medical devices being subject to FDA regulation and DCMA exemption. This years talks are not up yet but the track from last year is at https://www.youtube.com/playlist?list=PLjpIlpOLoRNTdZqdr-jR9sa8niVSy4pPf
It was very educational I found, for example how difficult it is to define what a "password" is in legislative and legal terms, amongst other things. We are used to contextualising technical risks to business/risk owners, however staffers and policy makers are very different animals.
JJ
On 15/08/2023 16:07, Katie M via Dailydave wrote:
The policy-making trend deserves its own thread.
Dave & I and a few others have done “deep policy work” which requires years (not just a few meetings and summits) of pushing extremely unpopular contrarian technical facts over desired policy outcomes that were drafted by people who often don’t fundamentally understand how computers work.
The policy tail has been wagging the technology dog for a while & it’s all running amok off-leash.
As soon as Policy became more popular, I have seen policy makers scrambling for technology influencers, inviting anyone and everyone with generalist tech knowledge, too little experience, or the wrong specialty knowledge for the task to inform what becomes damaging policy that then has to be undone over years.
Policy work is often looked down upon over “real technical work” - but look at how much it affects all of us, for good or for ill. We can’t afford to let less technical people set the rules for us or for the Internet.
Policy Influencer tourists who enjoy their Congressional staffer meetings & Whitehouse summits often unwittingly pollute the tech ocean with too many tech-adjacent microplastics and platitudes that are turning into tech policy forever chemicals.
We need more hands-on technical people with industry experience at scale who are willing to wade into the kind of years-long deep policy work that we all do not prefer over our technical work, but still desperately needs to be done.
How does one get invited to the table that goes beyond tech policy tourism, as an active participant and not just a passing guest they invited just as much for a photo op as they did to ACT on your advice? Just like everything you’ve ever done worth doing, you need to find an area you’re passionate about and you have to try a bunch of extremely tedious things until you pop that policy shell.
Ask Dave. He and I spent years attending meetings that mostly did not concern us, for the chance to speak up on the topics that did, until we were finally asked to officially join things like Technical Advisory Councils.
We may already be too late to reverse this Internet climate catastrophe. But we have no choice but to try.
k8e
—-
On Tue, Aug 15, 2023 at 07:22 Matt Suiche via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
You are on point on so many levels. I've also been noticing a significant culture shift.
There is definitely a strong focus on policy-making, which now promotes conformity in thought and dismiss critical perspectives. These are the very things that the hacker culture once opposed, but they also now represent what policy-making is. We could even say that policy-making is now molding the hacker culture, rather than the other way around, and that this shift will inevitably lead to a "glocalization of cyber."
The definition of "technical work" appears to vary widely across various clusters of our industry, including within those self-specifically categorized as "technical clusters." When I engage with younger individuals, I frequently encourage them to consider a career as a software engineer, where they will have the opportunity to create tools and products rather than merely using someone else's creations. While this may seem obvious, the increasing noise in the industry makes it feel, year by year, as though the culture is shifting towards mastering "products" rather than developing "skills."
Well... It was fun while it lasted, thank you all for playing.
Best Regards, Matt Suiche
*This transmission is intended only for the use of the addressee and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately.*
On Mon, Aug 14, 2023 at 8:03 PM Dave Aitel via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
The Vegas security conferences used to feel like diving into a river. While yes, you networked and made deals and talked about exploits, you also felt for currents and tried to get a prediction of what the future held. A lot of this was what the talks were about. But you went to booths to see what was selling, or what people thought was selling, at least.
But it doesn't matter anymore what the talks are about. The talks are about everything. There's a million of them and they cover every possible topic under the sun. And the big corpo booths are all the same. People want to sell you XDR, and what that means for them is a per-seat or per-IP charge. When there's no differentiation in billing, there's no differentiation in product.
That doesn't mean there aren't a million smaller start-ups with tiny cubicles in the booth-space, like pebbles on a beach. Hunting through them is like searching for shells - for every Thinkst Canary there's a hundred newly AI-enabled compliance engines.
DefCon and Blackhat in some ways used to be more international as well - but a lot of the more interesting speakers can't get visas anymore or aren't allowed to talk publicly by their home countries.
If you've been in this business for a while, you have a dreadful fear of being in your own bubble. To not swim forward is to suffocate. This is what drove you to sit in the front row of as many talks as possible at these two huge conferences, hung over, dehydrated, confused by foreign terminology in a difficult accent.
But now you can't dive in to make forward progress. Vegas is even more of a forbidding dystopia, overloaded with crowds so heavy it can no longer feed them or even provide a contiguous space for the ameba-like host to gather. Talks echo and muddle in cavernous rooms with the general acoustics of a high school gymnasium. You are left with snapshots and fragmented memories instead of a whole picture.
For me, one such moment was a Senate Staffer, full of enthusiasm, crowing about how smart the other people working on policy and walking the halls of Congress were - experts and geniuses at healthcare, for example! But if our cyber security policy matches our success at a health system we are doomed.
I brought my kids this year and it helps to be able to see through the chaos with new eyes. What's "cool" I asked? in the most boomery way possible. Because I know Jailbreaking an AI to say bad things is not it, even though it had all the political spotlights in the world focused on examining the "issue".
The more crowded the field gets, the less immersion you have. Instead of diving in you are holding your palm against the surface of the water, hoping to sense the primordial tube worms at the sea vents feeding on raw data leagues below you. "Take me to the beginning, again" you say to them, through whatever connection you can muster.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org