Monthly Archives: January 2019

Ever since DJT was elected, I’ve been confused. How did this man, this charlatan, this scammer become POTUS? Why were the news stories I read as a responsible consumer & civics-obsessed citizen constantly citing his Tweets, logo & all? Why did we give power to this man? What’s broken? Some said titanic shifts in culture & society were obviously afoot and DJT got elected to burn the ancient regime down. Others said we got hacked by the Russians and the results were illegitimate. Still others said it was legitimate push-back against liberal or neoliberal advances in the Obama admin. This wild outcome followed Brexit, another unexpected & world-shaking event, which I won’t pretend to understand except to say that the west was shook.

Strangely, at work, in my now 17 year old career as an IT Pro, everything was changing, changing much faster than I had forecast when I last looked at the industry in depth. In 2014 I wrote a blog post advising IT Pros to adopt a cloud-first focus in their careers, lest they be left behind. I hadn’t anticipated social media being so important back then. I thought it was an ancillary thing, a thing you don’t really need to consider when you think of your career. But now, in the wake of DJT, it felt like something -maybe work-related, maybe not- was accelerating there in the dark winter & cold spring of 2016/2017.

It was then that I decided to return to where the people where. That was only natural. I had questions. The people had answers. And the cool thing was, they were accessible to me. Where? Where else. On Twitter. The toxic social platform everyone loves to hate. I’d already gotten wise to Facebook, you see, sensing more or less that it was a malicious platform, an AdTech Superpower disguised as a soft ‘n cuddly “We Connect the World” teddy bear. I deleted my account there in Spring 2017.

But Twitter? Twitter I had largely ignored/left behind since closing my old local news blog in 2013.

At the time, I didn’t quite know why I was going back to to Twitter. I’d stopped using all social media back in like 2013 or so, save for the cursed LinkedIn, which I maintained for purposes of my career, such that it is. I just knew that the answers I was seeking to understand all the changes I was seeing around me were likely in this place, in Jack’s place. And I knew smart, observant people in multiple industry verticals were on Twitter. So I went back.

Looking back now to late 2016 when the shock was raw & visceral- I can see the reason I came back to Twitter. I came back to twitter to write this. I didn’t understand that at the time, but I sure as hell do now. Here’s the progression, much of it in my own Twitter feed.

Jumping back in to Twitter

First thing I did on Twitter was present myself as an IT Pro. I had figured I could make some headway in answering my questions there, if I associated with other IT Pros & Technology professionals like myself, thinking it to be a kind of fast-paced, rough ‘n tumble & less buttoned-up version of LinkedIn if you will. People on twitter felt free to talk, this thing was the free speech platform, the pundits said, and that little bit of text “Thoughts & opinions expressed here are mine and not my employer’s” was a magic talisman allowing everyone to speak freely. Perfect!

DJT Inescapable

I think my reputation as an IT Pro is decent, so I jumped back in & blindly felt my way around. I tweeted largely about Enterprise IT technology at first, I think. I got some likes & nibbles, some new followers. But then, I’d experience that perpetual complaint in Twitter: stuff appearing in my TL that I didn’t expect. And it was DJT stuff!  I’d read the news as DJT took office, or squatted out a new tweet. And I’d freak. This is not normal, I thought. But this is my kinda/sorta free speech LinkedIN, better button up and not talk too much about it. Understand, the “this is not normal” was my reaction to the substance of a DJT tweet, not my reaction to Twitter showing me it.

And yet, I did…you couldn’t avoid DJT. It was impossible. I even tried filters for awhile, but nothing worked well enough, or maybe I was just not skilled enough to understand how to use them. As a result my tweets back then were primitive & stupid. And predictably,  I found very few of my largely IT Pro + old blog follower people were interested in talking about my questions or debating my ideas about these & other changes I was observing. Some engaged for sure…I was like, hey, why’s the new world so different than the old world? I’d get a few nibbles, pick up a few followers, lose a few more. Found some folks who had the same questions….neat! But I felt the pressure to stay on topic as an IT Pro and tweet only as that.

But I still kept seeing DJT stuff. And I can’t contain my reaction to it. I just can’t. I’m a political person, I enjoy reading & thinking about politics when I’m not at work, and sometimes when I am at work.

Speaking of work, in 2014/2015, I had started thinking more about infosec, parallel to all the news we Americans read as we saw our private data, held by the government, by retailers, by insurers, and by social, get breached & stolen. Naturally, I floated over to the infosec community, which was nice, cause  I was getting more involved in security at work.

I thought I’d be welcomed there, and I was. It was really neat to experience that. People were open to me and my ideas, all because I was honest & had legitimate and authentic experiences working as an IT Pro. So I started tweeting and mixing in with that community more. I’d frequently comment that I just wanted to secure my employer’s stuff, and then I’d see a new Facebook revelation that said that enterprise didn’t have to play by the rules mine did. And it upset me, so I tweeted when I was upset, and, due to my own poor ability to read & understand the space I was in, I took their openness as a sign that they too trusted this public place, and considered it legitimate to debate politics here, or advocate for a cause I thought they’d believe in (security & privacy), like we do in the commons.

The Crazy Hall of Mirrors that is Twitter

But I learned something. It’s extremely easy to bump up against other people in Twitter, to make them angry, or to make them feel like they’re under attack. It’s not true that that they are overly sensitive or I am overly aggressive (though I admit to episodes of this, and I sincerely regret it). It’s simply that we’re both in a confusing space whose mechanics & physics are easy to weaponize, and that results in the amplification of bad stuff and bad-faith stuff that appears in our timelines. Naturally, most of us are good-faith folks, and so we want to warn others of bad-faith stuff, so we share it, but that’s to the detriment of being forthright about ourselves & our intentions, as Joan Donovan, PhD at Data & Society has observed.

All this occurs inside a space that surfaces zero trust signals about the items we see on our screens, save for the Blue Covfefe Checkmark, which we’ll return to soon.

I did lots of stupid stuff like this on twitter, the new private commons

I started to realize it’s a smoky hall of mirrors. It’s not like the old internet, where people searched for their interests on the web, then found forums or watering holes around which people of like-minded interests congregated & talked shop. It’s not like that at all.  This new place was so much easier than that old place, I realized. Some were anointed in this new place with signs of power & privilege: they got Blue Covfefe Checkmark, for instance. I saw that, and I wanted one, a fact you can see in my tweet history.

Meanwhile, behind the scenes, I didn’t realize fully how big the grin on the Cheshire Cat of Silicon Valley & capital was.

But I did realize slowly that I could never focus on just one aspect of myself here. Nevertheless, I picked up followers, many of whom remain to this day. Awesome!

Why People Use Twitter, and Why they Don’t

Next, I made the mistake, particularly in the last year, of thinking people on Twitter went to twitter to find friends or fellow travelers. They largely don’t. They go there to associate with their communities, and if you go in ready to throw (polite, somewhat aggressive, but ultimately jarring civics) elbows, you’ll get banished quickly. People will mute, unfollow, ignore & monitor, or block you. I only got blocked once to my knowledge, but there you have it. The number of times i got muted I’ll never know, but my guess it was very high.

Please note, I’m not claiming I’m a victim here. I’m claiming that I was sensitive to and sensed feedback from my readers, as all writers should! Anyway, I’ll never know if I was or not. That’s not for me to know.

Randomly, I’d take stock. Oh wow. That person whose tweets I liked stopped following me. That hurts. This other person who follows me & I like has stopped liking/retweeting my stuff, yet I see them tweet all the time. Did I piss them off somehow? It’s easy to bother people here, I’d say to myself. It’s easy to get on someone’s bad side here. What am I missing, I’d think. It’s kind of miserable here, I said to myself when someone I liked unfollowed me. In old world, when blogging, I never saw these signals. I just wrote. It was wonderful. And this gave me anxiety!

metrics

Not hustling hard enough in the crazy hall of mirrors

Ok then. So what the hell are we all doing here in this awful product?

Slowly I realized I was wrong about the rules of the game. This thing, this place, it wasn’t about likes & follows as I imagined. That’s just what the people who built it wanted me to think. I realized that all the stuff I saw was evidence of people organizing. They were protesting, politically. Even when they thought they weren’t. . They were getting mad as hell & not taking it anymore.They, and I alongside them, were negotiating interests loudly & aggressively in this crazy smoky, hall of mirrors with zero trust signals and lots of bad faith.

To borrow a Twitter joke/meme about Silicon Valley I was particularly fond of: they invented the commons & called it social media. Insert emoji here: 🤣🤣. Now like, retweet, share, and ignore the serious point

Is this place the commons?

Hmmm, I thought to myself. Isn’t that what people usually do when they go to the commons? I voiced this a couple of times.,..but always figured the real commons isn’t a crazy smoke-filled hall of mirrors owned by a private sector company…this is Twitter…it’s not that, it’s not the commons. The public commons or town square is impossible to be owned by a private company. That’s crazy Jeff!, I thought.

Hassling & Harnessing Expert Power on my Quest

Bug in brain, and not knowing or understanding why I had stumbled upon such a question, I went and started chatting up the consumer tech elite. I bugged Nilay Patel a bunch, got a few nibbles, no bites I’m afraid, even when I tried jokey, friendly tweets resistant to mutability. Same with Casey Newton, who authors an outstanding newsletter on democracy & social media, but that doesn’t scratch my itch enough.

I got a bunch of likes, no bites, few replies. I’m really bad at Twitter, I thought to myself.

Then I started tweeting at Walt Mossberg, a man I really like and admire for his towering career, his wit, his journalism, and his sign-off note at his retirement calling for regulation of tech via administrative courts. I followed Walt, then one day, hey Walt, what the hell is this place and why am I here?! Is it the commons Walt?

It’s not the commons he shouted back, probably before muting me, because I’ve never gotten a response again. 

Slowly, I got the dawning sense that Twitter wasn’t a good place to discuss weighty matters such as these. Duh! Nevertheless, he persisted (so sorry, couldn’t resist).

Next, I added Scott Galloway to the list. Same thing. Few nibbles, no bites, no real debate.

untitled

On and on I went, tracing a path through different communities of twitter, looking for answers without even realizing what the question was, or that I was asking a big question. In my mind, I felt I was doing something akin to civics, but I wasn’t woke to that because this was Twitter, a private company’s social platform. And the smart people told me it wasn’t the commons. So asking questions & advocating for my views in an aggressive way, like I learned to do growing up, wasn’t civics, it was simply tweeting. And the outcome of my tweets was simply likes, replies, or retweets. No civics here.

Tweeting the J-School Profs

On I went now to the journalist elite: Jay Rosen & Jeff Jarvis & Dan Gilmore and others, even citing one expert’s case against the other! Maybe they knew what the hell this place was and why the world was upside down. Come on folks!

And then the DC Elite

Then the DC elite, including my favorite pundit in the world, Yglesias, who I’ve read for 15 plus years because I believe in civics & making informed decisions with my vote. Yglesias gave me a few nibbles, a like here, a retweet there, but mostly, none of these kings of social media wanted to play ball and none of them liked my ideas for what I thought was happening here. I even tried to email a few of them sometimes. Believe me, I’m persistent, and a little embarrassed as I write this.

And the Business Tech people

Maybe I oughtta chat up the business tech guys. I liked Ben Thompson, studied his aggregation theory for awhile, and I admired the hell out of him for building a punditry micro-business for himself & his family. Wow! I followed him, bugged him on Twitter, no bites, and one apology issued by me for being a tad too aggressive. Likely muted. Ooops. DAMNIT! I was bad at this social media game.

I even got a nibble from Alex Stamos once. To his credit he gave me a good faith answer, and it was an answer I didn’t like. You can see in this thread I kinda/sorta had the secret unlocked. But no likes, no retweets, no user engagement.

After that, I regret most of what I’ve written to him. I was mad at his brush-off & it was hard for me to watch the meltdown of our society, the government, and my personal privacy while disassociating him from his job at Facebook, no matter his position in security community. Which underlines & places a red circle around a big part of life here in the crazy hall of mirrors, where the difference between your public self & your private self is utterly dissolved & gone.

Twitter & the layperson’s Access to Expert Power

I felt if Stamos was here, in this crazy hall of mirrors with me, that I, as someone who once had a Facebook, Yahoo and other consumer accounts that Stamos secured, in other words a “stakeholder” as we conceived of it in the old world, I felt I had a right to question him. I loved that access to power, but I didn’t know how to use it, but I don’t think he did either, or maybe he did as he was speaking to his interest group only.

In this, I was confused by my own role as an Enterprise IT Pro, where my users hold my decisions & actions to very high standards, and where I tell them what choices have been delegated to them, if they care to ask. I think I was aggressive with Stamos because I viewed him, in a way, like my users viewed me. I occupy a trusted position at work, and I control to a large degree, what my users at work see on their screens, and I work hard to signal symbols of trust & validation to them when they look at the screens I manage. In any case, I loved the access to powerful people, simply as a matter of my own agency in the commons, so I frequently tweeted to him or retweeted him. I feel pretty sure I got muted, which is fine. It helped me to understand what I was doing here.

Given my own experience confusing my role as IT Pro and Stamos’ in a role way bigger and of wider scope than my own, I stumbled across something in one tweet. I said cloud scale folks should treat their users -which is a derisive & politically-charged term- more like constituents. What the wha? I’m not sure I even know what that means. I’m just sure I want some rights in this weird hall of mirrors I increasingly find myself, and you, in.

I went crazy on Digital ID

Oh. Also. I tweeted a lot about certificates and Digital ID too, because I felt that was a solution to this place. Full disclosure: this is like a totally top/down hierarchical solution, designed by patriarchy, by white dudes like me. Surprise! Ha. You’re not surprised are you. Still, please read, because I reflected and I realized what it was, and I still like x509 PKI because it’s most similar to what we’ve got in the real commons, which maybe you’re not satisfied with, but I bet the majority of the constituents in the commons are.  Moreover, you’re already using this system if you use Apple to identify yourself to your phone or PC via your fingerprint or faceID.

No one is talking about this old system, though I tried, even from a social justice angle. But we should. We should have a debate about it. You should evaluate it and challenge my views, and you’re friends’ views about it, like you did in the public commons on other topics, bringing your own values & beliefs to the table. I tried advocating for it, but I didn’t realize I was talking to interest groups. I was speaking as a tech guy.

But in advocating for digital ID, I did get some valuable pushback from another interest group: anonymous internet users. These people don’t feel safe online. They utilize anonymity to protect themselves & those whom they love. I didn’t really understand that before coming to the new private commons, because look at my Republican.JPG. But now I do.

Powerful Followers & Shadow Likes

But as I continued down this weird path of exploration through the commons, arriving & departing various sections in the smoky hall of mirrors we occupied, a curious thing

shadowlikes

A shadow like in the wilds!

happened. First, I got followers I never sought before. Like the former President of Estonia. In the old world, this man, whom I respect immensely for his work in Estonia on Digital ID, would never have crossed paths. He literally would never have read my name, because I don’t write for people such as him. But he followed. I was shocked. I also started getting messages from people -respected & smart and wonderful people some of them names you would recognize- and they said something like this: I want to like what you Tweeted, but I can’t like it, if you know what I mean. Others said this: your tweets are on fire Jeff, I love how you’re displaying vulnerability.

hahaha, I replied, to each. Appreciate the feedback. Thanks. I know exactly what you mean

/narrator:no he didn’t and still doesn’t, but it might have something to do with capture of the commons or his

Privilege, MeToo, and Black Lives Matter

Meanwhile, back in other smoky, loud, and largely dark parts of the hall of mirror commons that is Twitter, light, truth, and purity of purpose emerged. People were organizing in ways no one really understood. I liked & followed Zeynep Tufecki. Her Twitter & Teargas book made waves in 2011 describing the Arab Spring, the uprising in Egypt and more, and she had a solid Times column I’d read & cite on Twitter. You might say this scholar was bullish on Social Media, but we all were then and by the time I started asking questions of her, she was no longer so bullish, calling the place I was in a ‘persuasion platform.’

Fast forward to 2014/2015, and we all watched as Missouri caught on fire and riots resulted in the streets. The Black Lives Matter movement hit social & punched through to all of our TV screens. People in the smoky hall of mirrors had found each other, they’d built a community, and that community became an interest group which topped the agenda of no less than President Obama at the time. Wow! This smoky hall of mirrors was pretty powerful. Social media was working, we all thought. None dared call it the commons though.

Shortly after that, the long darkness arrived. DJT elected. 55+ million followers of this big fish there in our smoky hall of mirrors, inside, as I would later learn, a fishbowl. DJT used this new commons as a sniper uses his rifle: with lethality and precision, to get his views & statements on all our agendas, confused as they are there deep in the hall of mirrors. Do you remember when he told DPRK his nuclear button was bigger & stronger? Surreal! A million nervous tweets followed from me, there in the noisy & now frightening hall of mirrors.nuclear

But then! Light & truth: #MeToo movement. Hundreds, maybe thousands of women sharing stories of how aggressive men had hurt them, hurt their careers, raped or sexually assaulted them. More stories from women and trans & LGB folks and the great rainbow variety of humans emerged: they too had experienced either harassment or been minimized, zeroed out & dismissed in their workplaces. Titans of industry fell, people like Harvey Weinstein. Hell, they even got O’Reilly & the dark jedi master behind Fox News, Roger Ailes. Wow!

Women and people of color were using this crazy smoky, hall of mirrors fishbowl with lethal precision too, I thought. What’s more, I realized, the people using this weird place best had been the people disenfranchised the most in the real commons. Women only have had the right to vote for 99 years; people of color only had a de jure right to vote since 1965, but in practice, they face & continue to face a lot of friction on their way to the polls, and that’s before we think of gerrymandering. Their voices have been squelched for so long in America, well, now they were roaring!

Interest Groups form on Twitter

They come here, I thought. They come to the crazy smoke-filled hall of mirrors, deep in the fishbowl. They organize here into communities. Those communities become interest groups. And those interest groups pursue political outcomes & political power in the crazy hall of mirrors commons, just like the old world, and they are winning because people I know are going through diversity training at work, sitting through White Privilege slide decks. Wow!

Meeting new Interest Groups

It was through this part of the commons that I learned more about myself, and more about other people. I’m really grateful I did. I never would have come across these voices in the old world, apart from my university years, which are long past me. I only would have found them in this new world. I got mildly offended & mad when someone said I was privileged, then I read up on what that was and I was like, oh yeah, you’re right. I am that way. My path was easy in this life. But my politics, my deep belief in civics, allows me to adapt, so adapt I did. Then I said to them, my path was easy in this life, and I want the same damn thing for you, my friend. I even put He/Him in my twitter profile. I never would have thought to identify my pronoun preference before I came back to the crazy smoky hall of mirrors commons. But the polity in the private commons made it clear they wanted that. So I did it. I got some great followers from many different communities & interest groups along the way. I feel very fortunate for having learned from them, for having read them. I count myself wealthier & closer to my political values for having met them. I thank them.

Left & Right in the Hall of Mirrors

I met other sincere, good-faith people in the commons too. Largely they didn’t want to engage with my crazy questioning or my civics, so I just observed them. There were Republicans in the mix, just like in the old Letters to the Editor page of the paper, which had largely functioned as delegated & privately owned commons local to us in the towns, cities & rural areas where we live. I met old school GOP people, like Tom, who left the party dramatically last year, and whom, somehow, I got to follow me this year. Mostly, I  just watched and learned from the opposition in the commons, the same as I always did growing up. They were using the commons in a similar way, there just weren’t as many of them.

The left was numerically superior in this smoky crazy hall of mirrors commons. The right was there too, but, just like in the real world, they didn’t have the numbers. Still, some good civics debates can be had in this new commons. And I like that. As a kid who was educated on Point/Counterpoint, it drives me, it really does. It’s what I seek. I thought it was dead, but it wasn’t. . The commons should be a little wild & crazy. It is neither a marketplace of ideas, nor a public library, nor a Barnes & Noble as I once supposed. It’s literally the commons, or the public square, if you wish. Only now, it’s captured & owned by a private business.

And that’s not good. That’s not good for me on the left, nor you on the right. It’s benefited my side -sure- and I’m so glad it has, because dammit, I like that women & people of color are now enjoying just some of what they lacked in the old world, but private capital’s management of the commons is utterly clueless & incompetent, and the whole thing could easily become the next Rohingya genocide, only it might happen here. Or somewhere near here.

What’s more, it’s confusing that capital has captured the commons. Witness the debates about “de-platforming,” that we’ve had on twitter.

The smokey hall of mirrors inside the fishbowl is a confusing place, a place where zero trust signals are available for us to see or make use of, a place where bad actors -many of whom don’t even belong in our American public commons- face the same fast, friction-free path to organizing and advocating for political views, for good and for ill.

A Hall of Mirrors inside a Fishbowl owned by Capital

A smoky hall of mirrors. Inside a fishbowl. With capital & tech on the outside, looking in. Poking us with inputs and observing the outputs. Hmmm, that’s interesting. Let’s A/B test this change, and see how they react. Measuring the output. Maybe they realize they now own the commons, maybe they don’t. In either case, they laugh all the way to the bank, and the next mega-company looks to create a viral megahit virtue-signalling ad that will light the private commons on fire.

Mansplaining to you my view of this place

Look, I’m not anyone special. I’ve got nothing to sell, other than my ideas, which you can have for free through the amazing thing that is civics & the old fashioned internet. I’m just a dad, an IT Pro, and someone who studied and pursued my interests kind of apart from my career. I’m not academic, but let me say I think you should approach Twitter and other social media systems like this:

  • When they say “social media,” you should think the private commons, or the privatized public square
  • The owners of privatized commons saw political expression on their commons and they didn’t know what it was, so these brilliant data scientists, programmers, and the moneyed banks & marketers -many of whom think poorly of politics or look down upon it and have no second thoughts about choosing things for you- they called that phenomenon “user engagement.” But you should think of the portion of “user engagement’ surrounding political discussion as regular, good old fashioned civics, as people massing & organizing in commons, negotiating their shared interests with one another, and shouting from a soap box to you, to try to sell you on their ideas
  • You may call yourself and your allies on Twitter a community, or a movement. Keep doing that. But add interest group to your vocabulary too, for that is what you are, left or right, and it’s been amazing to watch you all work, particularly #BLM & #MeToo. You’ve dominated the public agenda, and that means what you do works and it has an impact, and that’s kind of incredible for leaderless civics orgs.
  • When you agree to Terms of Service, End User License Agreements, or Privacy Agreements, you’re agreeing to the law of the digital private commons. There is no appeal, except to voice your complaint in the semi-free speech commons that is owned by the private company
  • You should think of the C-Suite of these social companies as akin to unelected leadership in a private, wholly-owned kingdom that opens the commons to anyone with an email address or phone number and dispenses various signals of virtue & enlightenment upon princes & princesses of that kingdom (Blue Covfefe checkmark). The process for getting these virtuous signals that the commons understands is entirely opaque and is, like everything else, left up to the kings to decide
  • When Zuckerberg and other Kings of these privatized commons address you as “community,” you should get mad, make lots of ‘user engagement’ noise that the data scientists back at the castle will interpret as civics, eventually. Whether they ignore it or not, is beyond our control. They probably will for as long as possible, or maybe they figured out a way to sell your civics to adtech, which is most likely. Anyway, none of this is transparent & they will throw lots of sand & dust in the air to tell you how they are responsible stewards of private commons. But they’re not. They’re clueless.
  • Political memes in the digital commons are the political pamphlets & posters in the old commons
  • Because there are no trust signals inside Twitter & Facebook, the new private commons, users in that space have invented their own. If you want to be trusted in the new commons, you’ve got to screenshot & tell your followers  you deleted a tweet. That’s because there’s no unbiased mechanism in place, like a public log or what not, that allows you to signal to your followers you deleted a tweet. And as we all know, the Kings haven’t given us the power to edit tweets yet.
  • Muting a follower is a compassionate act one person performs in the commons on another person in order to shape & understand the commons better. Filter bubbles got it all wrong. People who mute for politics talk in the private commons are just walking away from your noisy talking, from you on the soapbox, just like we do when we walk down the street and ignore a protest movement on the way to join our own interest group
  • It didn’t break our politics. Our politics, which are practiced in the commons where the people gather by definition, simply moved to the private, captured commons, because friction was minimized so effectively by capital, and celebrated by tech journalists who don’t understand politics or the commons, industry observers, and powerful tech-elite, who even use the language of the commons (pioneers, settlers, town planners)
  • When you hear that people -diverse, wonderful, free, sovereign human beings like you and like me- are stupid and susceptible to the filter bubble, or don’t know how to distinguish light from dark in a hall of mirrors with zero trust signals, you should get pissed & angry. How dare they? Remember, they built it this way. 
  • The Republicans realized this first. That’s why they’re so active in trying to influence the new kings of the private commons. As well, they’ve got financial interests that bias them to not admit it
  • But so too do the Democrats, some of whom have realized this truth, but the base doesn’t appear to grok it, nor does the Republican base
  • The two American political figures who understood it first: Donald Trump & Alexandria Occasio-Cortez. Both of them realize they are competing in the new private commons, that you and I float between & see interests groups in this space, and they both are racing ahead from their respective soapboxes in the public square of our private commons.

What do we do from here? Where do we go? Governments broken and not moving. It’s closed right now. Academia still there, and I learned so much by following smart & open academics on twitter, but the money from Silicon Valley, as Zuboff has noted, is so good that the brain drain is on in higher edu. The free press is still kicking, but I think the owners of the new commons have them right where they want them: in the hall of mirrors, sorting light from darkness, signal from noise, and chasing illusions, like I did for a long time. To help you parse this new reality, I’ve got a list, if you want to study it.

Beyond that, it is wholly & completely inappropriate and indeed terrifying for a private company to own the commons. Why? People come out of there homes. They meet each other in the commons, when they are of age. They begin negotiating their interests. Then they form interests groups & they build an agenda based on their mutual interests. This worked fairly well, even when the commons was owned by private companies -like the dozens of once vibrant metro newspapers- but those are largely not the commons anymore. Twitter is. And Facebook. That’s what they’ve captured in the last 20 years, as Zuboff notes so well.  I’m utterly convinced of it.

Walt, sorry buddy, I love you, but you were wrong.

I see the same thing in the old commons that I do in the new digital private one, only I see & hear from new forces, and dark forces too. Vlad realizes it’s the new commons. That’s why he’s attacked it to mixed success. Corporate America realizes it’s the new privatized commons; when Nike & Gillette buy & share ads on Twitter, even ads that have positive political messages I agree with, let’s be honest: they’re erecting billboards in the privatized commons, billboards whose political message appeals to the majority of the commons, folks who are on the left, and oh, also, wanna buy a razor?

I don’t think mid-level technologists in Silicon Valley or Washington yet realize that commons has been captured & privatized and that BLM & MeToo aren’t community movements, but interests groups agitating for political power in a shared space their companies own. 

Is there a fix?

There’s a couple of things we could do- we could inject our real world legal identities into this privatized commons by virtue of an optional gov-issued Digital ID, in effect becoming citizens in this space rather than mere users, but have a look at my tweets over the last two years to see how popular that idea is. We could repeal and blow up Section 230 of 1996 Computer Decency Act -the act that created all this, and is, by my reckoning, the father of all unintended consequences because it enabled both the discovery of surveillance capitalism + the capture of the commons(I use father because I want a man to own it). We could kill that thing, and all would go back to the way it was. We’d have our clunky old internet back, which was built to resemble our clunky old democracy (Another thing I tweeted about often), but we’d lose all those new voices that have taught me so much, and for which I’m grateful.

Actually check that. We wouldn’t technically *lose* them. But they’d face more friction in making their voices heard. But so too would the right. Which seems fair. Right/Left should face equal friction, and that friction should not be zero for the interests & integrity of the commons, whether owned by a company or the public. Then again, the non-privileged people are enjoying their first tastes of political power, so I’m inclined to think this is a bad option.

But, it would end the abuses of our new private commons -the hall of mirrors would be gone- and maybe we’d have normal, slower civics without as much foreign or bad actor interference.

But the owners of the private commons are going to fight like hell to ensure that never happens. Because they are getting *ungodly* wealthy off of this change we’ve all been blind to.

Anyway, now that I’ve realized this -thanks in large part to exploring the private commons that is Twitter over the last two years- I don’t think I want to hang out in it much anymore. I want the old commons we had, but with the new voices I read and the new people I met in the privatized commons. I want to see them and advocate for them & their interests in my big-tent party, the Democratic party, and I want their voices to be heard. So should you. Even if you are a right winger I would never vote for, you should want what I want. We all should want good faith, a plain & easy to understand commons so we can debate, negotiate and sell each other on our ideas without the adtech people watching & occasionally manipulating us, not to mention the bad faith actors & foreign intelligence agencies.

I’ll pop in from time to time on Twitter, maybe lend my voice to an interest group’s cause, even though I see what it is now. I’m happy I figured this out to my own satisfaction because now I feel like I can write with confidence again. I’ve found my muse fam, and I’ve got the confidence to argue for it in the public sphere, on my website!

Managing Enterprise Secrets & Privileged accounts has to be one of the most difficult jobs in Information Technology today, and one of the least transparent to the business. Bad guys have painted a target on admin’s backs, regulators are chomping at the bit as more consumer data is lost online, and Compliance officers are scrambling to understand the landscape and adapt to new rules from overseas. And yet the business may not even realize that unsung heroes in IT are still managing a stack of hardware & software designed to fulfill 1990s-era security models.

Take it from me: I know this pain well. Even if you do have an internal identity system, say Active Directory, it can be difficult to get all the bits from your Storage, Network, Compute & cloud systems to run a proper AAA model against your AD Forest. Even more difficult: figuring out how to audit the records of Active Directory (or NPS/RADIUS or ADFS or OAuth2/SAML glues) to present to your Compliance officers.

Yet in the background, a constant churn of news that only raises the pessimism bar higher: Target. Anthem. Maersk. Equifax. Facebook. Marriot. The goddamned CIA and the f****** National Security Agency. I made a Visio Timeline because I was having difficulty tracking all the breaches, and I’ve run out of room! And let’s not forget the business and your user colleagues’ need for secrets too as consumer technology continues to eat away at the Enterprise and as more of the economy is digitized. By 5pm most days, IT admins are just hoping to make it to retirement in 10 years without their orgs getting popped by a black hat.

cyberark-logoEnter CyberArk. This Silicon Valley company was founded in 1999, which is impressive to me. It’s not often you’ll find a company that’s been selling a product that handles Enterprise secrets + PAM for 20 years, at least a decade longer by my count than the popular consumer password management companies that are now sashaying their way into your Enterprise, as if they understand the challenge you’re facing. At Security Field Day 1 (#XFD1), CyberArk’s maturity & comprehension of the challenge of securing the enterprise really showed.

CyberArk’s Privileged Access Security Suite is a mature & fully-featured secrets + PAM tool. I was super-impressed with the demo their Global Director of Systems Engineering, Brandon Traffanstedt, gave us back in December 2018 in sunny San Jose. I came prepared to endure a boring password management demo; I left impressed at what I had seen, with only a single caveat.

Not only was CyberArk’s product comprehensive, it was bad-ass, with one exception. I saw:

  •  An SSH session opened to a network device’s command line, with a second factor prompt before access was granted
  • Full auditing + screen recordings of a Privileged Account accessing a protected server, just the kind of thing that reassures the business that you, as an admin, have nothing to hide, are not an ‘insider threat’ and are 100% transparent in your work.
  • Deep integration into Windows’ Win32 API, hooking into parts of the OS I’d not seen before outside of Microsoft products, including Credential Management
  • Full integration & support for MacOS
  • OAUTH2/SAML support and full support for your ADFS infrastructure
  • Cloud secrets & PAM management across AWS (and soon) Azure
  • Full support for your RADIUS infrastructure & 802.11x, whether via Microsoft’s NPS or some other solution
  • Automated credential rotation so that you don’t have to scramble when a fellow admin changes jobs, is fired for negligence, or joins Edward Snowden in Moscow
  • Secure sharing of secrets among your privileged IT colleagues
  • An offline, secured, and high-entropy password in a sealed envelope you can hand to the business for peace of mind

I’ve been working in IT for about as long as CyberArk’s been pounding the pavement and trying to convince IT Teams to invest in Enterprise Secrets & PAM software. I was impressed…..particularly because CyberArk scratches an itch that many IT Teams don’t know they have: the security costs & technical debt that a legacy of tactical, rather than strategic, investments that tend to leave an org arrears in 2019’s security landscape.

Por ejemplo: say you’re a mid-market SMB IT shop in the healthcare sector that’s experienced a lot of turnover among its IT admin staff through the years. If you’re the business, you’ve watched as IT Admins come and go, and listened as they’ve pitched tactical solutions to various challenges facing the business. You’ve invested in a few, and most work well enough, but gluing them all together into a comprehensive, strategic, and business-enabling solution has been a challenge.

cyberarkWhile your solutions are working, you’re paying a cost whether you know it or not because more than likely, the technical legwork needed to glue those solutions together into a comprehensive & auditable security framework hasn’t been done. Meanwhile, the regulators are knocking at your door, the pace of breaches quicken, and Brian Krebs’ pen is waiting to write about your company.

CyberArk is a good fit there. No, check that. It’s a *great* fit in that scenario. The product addresses threats to your business from both the inside and the outside. It protects Enterprise secrets -the very thing your admins are targeted for- while shining a bright light on your employee’s Privileged Accounts and how they are used.

It’s a product that’s far beyond anything the consumer password management companies are offering…trust me, I’ve looked at them all. It’s a true Enterprise solution. However….

I will say that one area where CyberArk felt a bit less than polished was in how they’ve architected the sharing & use of secrets with non-admin users working in the business. If we return to the healthcare example, think of a person in your business who needs the credentials to login to a state Medicaid site in order to bill the payor of a medical product.

In fairness, this is a complicated problem…while it’s in the business’ interests to control/maintain/audit all secrets, including to third party sites & services that are outside of IT’s domain, the mix of devices/browser here is a difficult puzzle to solve. Yet it’s here that CyberArk’s product left me perplexed. They propose intercepting TLS traffic on your user’s endpoints & injecting credentials into your business user’s browsers, whatever they may be.

This seemed to me -at the ass-end of 2018- to be a poor solution. For starters, we’ll soon see TLS 1.3 across more and more websites. TLS 1.3, as my fellow Delegate Jerry Gamblin pointed out, is not something you can intercept, decrypt, and inject credentials into. Indeed, other vendors in the security space seem to be steering Enterprise customers away from the expectation that we’ll be able to intercept/inspect/fiddle with TLS 1.3 connections. At best, we’ll be able to refuse TLS 1.3 connections in favor of the more Enterprise-friendly TLS 1.2 connections, but even here, the Enterprise’s political power & ability to influence the market & standards bodies is lacking, and Google, for better & worse, rules the roost. Even Microsoft is playing second fiddle here and announced in late 2018 that it would ditch its new Edge browser’s Trident engine in favor of Chromium open source.

Secondly, CyberArk’s solution even here feels archaic. They propose that you put a middlebox in front of your users to accomplish this. This is definitely old-school, calling to mind the many nights/weekends I spent configuring & troubleshooting BlueCoat devices in server rooms across many Southern California businesses. If you’re going to tackle a problem like TLS intercept, you need to think 21st century and go with a cloud interception service, that will follow your users around on the internet. Middleboxes often make your security posture worse, not better.

In my day job, I intercept/inspect TLS connections across several continents and on several thousand endpoints; it’s a tricky science and one that’s filled with compliance & policy questions above my paygrade. Microsoft’s move in the browser arena fills me with questions, and that’s before we consider mobile devices; so too should it fill you with questions if you are looking at CyberArk with an eye towards sharing secrets with non-admin users.

So, caveat emptor on this narrow point friends: a significant selling point of CyberArk’s featured product (injecting secrets into an HTTPS session) may not work a year or two from now. We raised this issue at #XFD1 and CyberArk says they have a plan for it, but eyes open!

Other than that though, I was really impressed. CyberArk gets the challenge facing Enterprise IT in this Wild West era. It understands intuitively complexities of Enterprise secrets, PAM, insider vs outsider threats, and auditing/compliance requirements. The only place it seems to fall short is in sharing credentials from the ‘Vault’ to non-privileged users.

Check it out if:

  • You’ve got a heterogenous stack of best of breed IT hardware & software and you’ve neglected integrating AAA security across that stack
  • You’re in an environment requiring heavy compliance & auditable proof across your stack against both insider & outsider threats
  • You want 2FA/MFA on old network switches, Macs, and Windows Servers
  • You want screen captures of your admin’s work on devices, servers, and services that you consider privileged
  • You’ve got cloud/SaaS management challenges even as you’ve centralized identity in on-prem Active Directory or other system

Ignore it if:

  • You’ve only ever bought Microsoft, only have Windows PCs & servers and Microsoft applications, and you have an MCSE on staff who understands Kerberos, Active Directory, NPS, RADIUS, ADFS, OAUTH2/SAML, and has configured your AD environment to comply with various regulatory statutes and compliance regimes

Other Coverage:

Disclosures
This blog post was written by me, Jeff Wilson, for publication on my blog, wilson.tech. I was not compensated by CyberArk to compose this blog post, and CyberArk did not see it prior to its publication. I learned about the CyberArk products during Security Field Day 1 (#XFD1) an event for IT, Security, and Enterprise influencers that was held in December 2018 in & around Silicon Valley, California. The Gestalt IT group paid for my airfare, accommodations, and meals during the time I was in greater San Jose, CA area. CyberArk and other sponsors paid Gestalt IT to bring Delegate influencers like me to #XFD1. 
I received no monetary compensation otherwise, save for the swag listed below
CyberArk swag I took home:
  • A ballpoint pen
About Me: My name is Jeff Wilson. I am a 20 year IT Professional with a security focus. I hold a GSEC from the SANS Institute, as well as a Bachelor’s Degree in History & a Master’s in Public Administration, both of which are from CalState. I live & work in Southern California. You can reach me on twitter @jeffwilsontech or via email at blog@wilson.tech