What I Learned Trying To Secure Congressional CampaignsI traveled the country like Johnny Yubikey, distributing little blue security tokens from a sack. [...] I don't believe I accomplished much, but I made so many friends along the way! And I learned a lot about the idiosyncratic world of Congressional campaigns; knowledge that I want to now hand over to you, the next person willing to take a swing at this piñata of futility. [...]
Practical campaign security is a wood chipper for your hopes and dreams. It sits at the intersection of 19 kinds of status quo, each more odious than the last. You have to accept the fact that computers are broken, software is terrible, campaign finance is evil, the political parties are inept, the DCCC exists, politics is full of parasites, tech companies are run by arrogant man-children, and so on. [...]
Offering security training is like being a dentist offering a teeth cleaning. Everyone understands in the abstract that this is something they need. They feel guilty about putting it off. Maybe if you are really persuasive and can talk in scary terms about gum disease, they will agree to do it. But they will not enjoy it, and however much they promise, they are never going to floss. (Also in this analogy the dentist isn't a real dentist, but some guy who runs a bedbug website.)
Priceless quote: "The day I see a Hello Kitty security key is the day I know that phishing is dead."
Honestly it was hard to pick only a few pull-quotes from this one.
just about everything he writes is a joy to read. i am happy to have backed his kickstarter for his trip to antartica, even though i'm still waiting to get my burrito tunnel poster, it was more than worth it.
That poster is still happening and I'm so sorry to make you wait this long!
I'll settle for if either my good bank or my safe bank send me a branded Security Key next time they get all worried about security (the good bank makes me use an OTP token with a chiclet input pad which is... clunky but effective, the safe bank is still doing SMS codes)
[I call it my "safe" bank because it's literally part of my government, and so it's safe in the sense that it cannot go bankrupt and lose my money, as if the government goes bankrupt that means all the money is now worthless anyway.]