As a former NYT dev I was upset at this but after digging deeper seems like this isn’t the NYT shelving info-sec but just consolidation (hired Erinmichelle Perri as CISO in August). It’s always sad when talented people leave.
This is alarming, because the job of "newsroom security" isn't the same as the corporate security job. Smart organizational security teams rely on a meta-strategy of collapsing user behavior down to a smaller set of activities that they can track and deploy countermeasures for; this works well for employees ("get everyone on the same ad-blocking Chrome extension that we can vet"), but doesn't account for the journalist threat model. Journalists work in the field and deal with sources, who can't (and wouldn't, regardless) comply with corporate security directives.
What you're hoping a newsroom security practice is doing is building source protection systems, like secure dead drops, while also serving an advisory and harm reduction function for the journalists themselves, so that they can safely open attachments and follow URLs and communicate over social networks. In that environment, you can't just say "no, don't do that, do this other secure thing instead", like you can with company staff.
It's a specialized skillset, and one that security teams are not generally good at.
I got curious about why the NYT would do this and did a little googling, and I think her boss still works there (https://www.linkedin.com/in/billmckinley), so, per other comments, it doesn't look like the NYT is giving up on security or anything crazy like that
It does seem like they might be cutting staff, though, which doesn't feel all that much better
I don't know it's fair to criticize this without knowing the internal circumstances and motivations for such a move.
As others with knowledge of the matter suggest, this may be purely organizational. A title being 'eliminated' doesn't necessarily mean it's function disappears.
Not very relevant, but I interviewed with their product team recently. They seemed very competent and thoughtful.
No need for a dedicated focus is nowhere near enough information to take away "this is not important to our company anymore". It is management speak for you are not doing that here anymore.
You would have to know the exact responsibilities this person had, how much time/energy they took, whether or not there was duplication of effort elsewhere, etc.
It is important to know the facts, from both sides. In my mind, at least.
For example, they are hiring a PM on this same team right now. It's very possible they just saw this position as an unnecessary level in the hierarchy.
"Why do we need a Security Director? Our security is fine, there's no problem, so why spend the money?"
There's this weird dynamic in Information technology where professionals doing their jobs really well result in there being no problems. When there is no problems there's not much attention and the lack of problems is devalued by management.
Management value teams and managers who heroically solve big problems and issues.
This is why companies can sometimes decide that their best people are not needed cause "all is so quiet" and fire them.
I have no insight here, but given the NYT isn’t completely ignorant about technology, conspiratorially I might think it could be a way to push someone they didn’t want anymore out —we eliminated the position! (And we just created a new chief of “cyber” position, it’s totally different).
An odd corollary of this is how being kind of bad can cause massive problems that get the attention of high level people and lots of focus. If you can then fix, or help fix, the problems and dodge blame, it's really quite positive as you get to know the high level people you'll be able to leverage for promotion and career advancement.
Management value teams and managers who engineer huge problems, blame them on someone else, and then pretend to heroically solve big problems and issues.
This is where having someone on the executive team with technical experience can be such a boon. I know I'm lucky with this, but our exec (chief admin. officer) spent years in the IS ('s' is for services) department at our company -- starting as a VB dev back in the 80s. Luckily leadership is fairly forward-thinking for a nonprofit and we've been doing Angular and C# for years now. She consistently goes to bat for our director and has managed to get our CEO to understand the great difficulty involved in keeping an IS operation running smoothly.
I mean, think about it. Hospitals wouldn't fire the surgeons for consistently executing error-free operations.
When I worked at Discovery Channel I remember a call where the CEO admitted they have no idea what they're doing with regards to tech. Made my decision to leave seem smart looking back now that they've shut down Rev 3 (where I worked for a while) and the other division doing R&D. Was pretty frustrating to build stuff that would never see the light of day.
TLDR; execs that know something about tech is super important.
You are assuming that NYT doesn't care about security, whereas this might be as simple as this particular lady being fired. As others said, her boss and other information security people are still working there.
Future headline: NY Times reporter gets phished. Confidential sources' identities and quotes made public.
Worldwide we are seeing an attack on journalism and the free press. Cutting security resources as a short term profit-boosting exercise can have disastrous consequences. Many people all over the world risk arrest or even death for sharing information with journalists. If they can't be sure that the journalists have an excellent security apparatus backing them, it will be too risky for them to come forward.
I don't know if american journalists seriously need opsec anymore, as nobody in the legit press is writing anything that could threaten the institutions they'd need to protect themselves from. Anyone doing anything dangerous today isn't going to depend on the protection of their newspaper. The only people with skin in the game are actual activists, short selling hedge funds, and maybe some edgy podcasters.
There is this odd dynamic where if you need the additional legitimacy of an old media organization to get your story out, there must be something fishy about it. Like it's a palace gossip leak, and nothing with real consequence or risk.
If your story is really worth your safety, there is the much greater risk that editors will spike it, the way they did with pretty much every major whistle blower story of the last decade. Hollywood was protected for years, intelligence leaks were regularly spiked, and often journalists themselves were complicit actors in the official retaliations. I'm sure the NYT will still have a security role of some sort, but the idea that it could actually equip reporters at a corporate level with the tools to do the kind of opsec you need to facilitate stories at the level of the Intercept, Wikileaks, and other insurgent media seems unlikely.
Maybe it is a hyperbole. Maybe it is a radical opinion. In both cases, it is not clear it is a trolling assertion, because it fails the test of being clearly an opinion given with the intent of derailing a discussion.
A troll is not someone with radical, out of average opinions, a troll is someone that wants to derail a discussion.
It doesn't look like that for me. It is no even that much of a novel assertion, in one form or another, I've been hearing opinions like that from people from all sides of the political spectrum since I became interested on politic debates.
It is not that far from what you've got reading books like Chomsky's "Manufacturing Consent" or from what you read on a lot of right-wing blogs.
If you think this is an incorrect and unjust assertion, and I would be strongly attracted to agree with you, the best course of action is not silencing the speaker, but engaging in rational discussion with them.
Then, and only then, if the poster refuses to address your arguments rationally, and starts things like personal attacks, fallacious arguments, and a general uncalled-for aggressiveness, we could justly label them as a troll and act accordingly, not before.
Ironically, someone downvoted you. Which is a shame. Even not agreeing with what you said about it, I really appreciated the opportunity to present my counter-points to you.
I disagree (though I didn't down vote). I think the sentiment expressed is fairly dangerous without clear evidence. I had a similar reaction reading what the parent comment wrote as to when I hear people say my vote doesn't count; just by expressing that (wrong) opinion has dangerous consequences.
Sentiments are not dangerous. Textual expressions of sentiments are not dangerous. Real-life consequences are. But often those consequences are not a direct result of sentiments, but of an underlying socioeconomic problem of which poorly articulated sentiments are often mere symptoms.
Suppressing the symptoms and pretending they don't exist won't make the root cause go away. If anything, it will only make the eventual consequences hit us more violently. People will say that the blow-up was sudden and unexpected, but in fact they've been ignoring the warning signs all along.
> Sentiments are not dangerous. Textual expressions of sentiments are not dangerous.
This is stating fundamentally that manipulation, propaganda, brainwashing etc does not work. Which is patently false. So obviously there is a spectrum. Seeing as it's very possible to steer people through words, the remaining debate is regarding what is dangerous and not.
> This is stating fundamentally that manipulation, propaganda, brainwashing etc does not work.
Those things have the desired effect only when the manipulated sentiments result in concrete actions such as voting or not voting for someone, buying or not buying something, treating somebody in a certain way, etc.
I want as much as anybody else to block the effects of these menaces. But the way to do it is to block the pathway from propaganda to sentiment to action (to use a pharmacological analogy), not to suppress the sentiment.
The whole idea of the free press depends on supporting the free expression of ideas, sentiments, arguments, and testimonies and only suppressing actually detrimental actions. As Justice Louis Brandeis famously noted, the answer to bad speech is more speech, not less. Start trying to bury some people's ideas just because they might encourage others to behave in a certain way, and it's not a long way from there to book-burning territory.
> I want as much as anybody else to block the effects of these menaces. But the way to do it is to block the pathway from propaganda to sentiment to action (to use a pharmacological analogy), not to suppress the sentiment.
I'm not trying to twist your words, but does this not entail vote suppression (for example)?
> As Justice Louis Brandeis famously noted, the answer to bad speech is more speech, not less.
While sounding good in theory, the problem with more speech is that what's true doesn't gain as many clicks and eyeballs as what's "engaging". Put that on top of the fact that producing researched quality reporting takes factor X more effort than producing something false that _sounds_ interesting/engaging, and with complete disregard to whether it's true or not.
It then follows that there will always be more low quality news (or in reality non-news aka "crap") to drown out real news, given the basically free transfer costs of the internet.
I wish I was optimistic enough to think that people in aggregate wanted to be educated, but I think our current timeline indicates that is not so. And as long as that's the case, stemming the tides of crap is the only viable option I see, however hard that is to do right.
Book burning was bad because it was suppressive of legitimate ideas. I'm not sure what would have been the association if we only burned books suggesting that eating Tide pods was a good idea.
You can't suppress bad ideas without also suppressing legitimate ideas, because 1) ideas need to be exchanged in the first place before anyone can figure out whether they're legitimate, and 2) the wrong people will inevitably get the power to decide what's legitimate. I'm not being more optimistic than you. I'm just being realistic.
No, I'm not advocating vote suppression. I'm advocating education. Which, as you said, looks like a lost cause, at least in the United States. But if there's no way to win this war without suppressing and silencing somebody, well, so be it. Letting people consume crap doesn't seem all that bad compared to violating civil rights.
Moreover, the sentiment expressed in the parent post that we've been talking about doesn't seem all that different from your observation that there will always be more crap than real news and that people in general don't want to be educated. They're both statements about the current state of journalism and news consumers, albeit with different kinds of exaggeration and flourish. We could talk all day about the causes of this problem and how we might fix it, but allowing people to vent their frustration about a problem is not part of the problem.
yep. once upon a time the sources of information for Greenwald's stories on a particular three letter agency may have sought out the grey lady, but those days are long gone. the hit piece on him afterwards removed all doubt that the NYT is no longer carrying its pentagon papers legacy.
the US media serves at the pleasure of the King. only a fool would attempt to blow the whistle with the NYT (or NPR).
NYT continues to break important, 'government source/whistleblower' journalism. Pulitzer is an obvious reference of recent and consequential stories including a description of a 'deeply sourced' story right up top [1], amongst volumes and volumes more reporting.
My response to the OP about eliminating this director of security role was in regard to the need of a newspaper for that senior security role. The stories in this page of listed Pulitzer Prizes would not necessitate the level of operational security that a few independent journalists require and use every day.
The NYTimes still does journalism, and still has an important role, but the need for such a direct cybersecurity role seemed diminished (and management seemed to agree) - and would probably get in the way of less sensitive work if you had to put everything past them.
To some others in this thread, "troll," seems to have come to just mean a provocative outsider view.
What most journalists do does not require a higher degree security to achieve it, so yes, that is disappointing.
It's really impossible to pass judgement on this decision without hearing the reasons.
Reading between the lines (and using common sense) suggests that the NYT does have a security team, only that its focus is larger than just the newsroom. One scenario therefore would be a consolidation of security roles. The "Head of Newsroom Security" position would no longer exist, even if there is/are dedicated people with that portfolio.
From a PR perspective, it is possible to pass judgement. The clear judgment here is that this move, in the way it was handled, created a PR problem for the NYT at a really poor time for it to have this sort of PR problem.
It may be that the new NYT CISO feels that newsroom, journalist, and source defense is a) critical and b) better handled by eliminating this role.
Every security person would agree with a). Given the visibility Runa had and the positive PR she created around this unique need, b) is not the outcome one would predict.
There is always more to the story than the headline, but as the NYT knows the headline is important in its own right.
A director position is a managerial role, not a security engineering role, moreover a director is typically a manager of other managers, who in this case has at least one more security manager above them before the change. I am not a fan of measuring a firm's commitment to security engineering by counting the number of managers in this role, rather than looking at the quantity and quality of engineers. This could be a flattening of a hierarchy or it could be something else.
I've worked for one of the NYT's subsidiaries and personally witnessed how their security posture changed (for the better!) after they were acquired by NYT. I was told that these downstream changes were due to policies laid out by Runa and Runa's team.
NYT will come to regret this decision. Hopefully, for their employees/readers/journalists/sources/etc. sake, it's only because of the bad publicity.
To anyone thinking "that's such a bad move that it makes no sense", it's not you: my entire Twitter timeline of security professionals and journalists reacted the same way in unison.
My reading of this is that in the story on the left, the online security experts were so easy to contact that it was super easy to quickly forward a suspicious email for them to evaluate.
In the story on the right, even though the reporter basically gets threats of violence (the pistol), they do not even know who it is that they should be contacting about that.
I guess this illustrates the benefits of having a single point of contact for these types of online security issues that everyone knows to contact.
How many people are still under the CISO at NYT? I’m getting spidy-senses tingling that there was bloat in that part of the org, not some insane “we don’t need security” type of angle.
The NYT had been hiring like crazy for a few years. Given the financial state most of the traditional media is in, this looks more like plain old cost-cutting on intermediary management layers.
This. The most likely scenario to me seems that NYT is seeing a very clear trend after several years of flaunting a complete lack of accountability, highly controversial (not in a good way) hires, and obscene levels of bias for "the newspaper of record".
Like most Leftist media agencies, it's probably seeing some tough times coming up, so it makes sense to cut costs in areas that are not attracting subscribers.
How do we know the stated reason is the real reason?
The one thing I don't see being raised anywhere is that it's incredibly common in civil society for folks who are "shrill" (supportive of equality for all races, gender identities, etc) tend to be pushed out for "lack of cultural fit".
One of the problems is that a lot of people who are nominally "supportive of equality for all races, gender identities, etc" are actually openly hostile to cishet white men with money.
I think it's possible to separate those two things and I have this hypothesis that you will get further if you are careful to do so and are less likely to be called "shrill" and pushed out.
Wouldn't wanna jump to conclusions from a single tweet, without hearing the other side of the story. Like i have no idea how NYT internal security organization is structured and what the bigger picture is.
Employees that send out critical tweets on the day they are let go are typical in an emotionally driven mode. So, I'm sure we will hear more soon.
This whole thread is a bunch of people reading into a situation we know nothing about. The truth of corporate structures is that they vary widely, and we can’t really read much about NYT’s commitment to infosec through this move, especially since it came from a party who was personally impacted.
Very weird, there are much less prominent and less targeted corps with ciso's lol. Their loss,lady is a freaking legend.
Bit of a perspective: Companies sometimes keep security staff but have them report under a director of some IT department. Companies are also horrible just horrible about how they perceive the value of an infosec position, the ROI is you don't get pwned. Period. No money savings,no contribution to the bottom line. Not dissimilar to a good insurance policy. I partly fear because it's up to the whims of some exec or some catch phrase they hear somewhere that changes their perception of what value we bring to the table where as engineers build,admins run systems and fix breaks.
One has to wonder if there’s political reason for this decision by the NYT, given Ms. Sandvik’s early involvement with Edward Snowden. Surely this must have made for an interesting dynamic at such a newspaper.
I just saw Runa speak at kawaiicon (kiwicon) in New Zealand, giving the keynote speech, and it was quite evident she not only knew what she was doing but applied it skillfully in the context of an internationally investigative journal. They no doubt have nation-state actors working against them and to infiltrate, and in the light of the both present and coming tsunami of security issues, I cant begin to guess what her employers are thinking in eliminating her role. She will fair far better than the NYT in this decision, that's certain.
The reasoning for eliminating the public editor was that today, social media does a far better job at it than anyone in-house ever could, especially considering the widespread view that it's impossible to independently criticise one's own organisation.
Which is, of course, ridiculous. The public editor (or ombudsman at WaPo) served a crucial role in giving official "news" status and internal information about drawbacks in their own reporting - neither function which can be filled by randoms on social media.
As a former NYT dev I was upset at this but after digging deeper seems like this isn’t the NYT shelving info-sec but just consolidation (hired Erinmichelle Perri as CISO in August). It’s always sad when talented people leave.
https://www.nytco.com/press/erinmichelle-perri-joins-the-tim...
This is alarming, because the job of "newsroom security" isn't the same as the corporate security job. Smart organizational security teams rely on a meta-strategy of collapsing user behavior down to a smaller set of activities that they can track and deploy countermeasures for; this works well for employees ("get everyone on the same ad-blocking Chrome extension that we can vet"), but doesn't account for the journalist threat model. Journalists work in the field and deal with sources, who can't (and wouldn't, regardless) comply with corporate security directives.
What you're hoping a newsroom security practice is doing is building source protection systems, like secure dead drops, while also serving an advisory and harm reduction function for the journalists themselves, so that they can safely open attachments and follow URLs and communicate over social networks. In that environment, you can't just say "no, don't do that, do this other secure thing instead", like you can with company staff.
It's a specialized skillset, and one that security teams are not generally good at.
I didn't read the article, but perhaps they don't need a Director for this function.
I got curious about why the NYT would do this and did a little googling, and I think her boss still works there (https://www.linkedin.com/in/billmckinley), so, per other comments, it doesn't look like the NYT is giving up on security or anything crazy like that
It does seem like they might be cutting staff, though, which doesn't feel all that much better
I don't know it's fair to criticize this without knowing the internal circumstances and motivations for such a move.
As others with knowledge of the matter suggest, this may be purely organizational. A title being 'eliminated' doesn't necessarily mean it's function disappears.
Not very relevant, but I interviewed with their product team recently. They seemed very competent and thoughtful.
The tweet itself directly addresses your concern.
No need for a dedicated focus is nowhere near enough information to take away "this is not important to our company anymore". It is management speak for you are not doing that here anymore.
You would have to know the exact responsibilities this person had, how much time/energy they took, whether or not there was duplication of effort elsewhere, etc.
It is important to know the facts, from both sides. In my mind, at least.
For example, they are hiring a PM on this same team right now. It's very possible they just saw this position as an unnecessary level in the hierarchy.
"Why do we need a Security Director? Our security is fine, there's no problem, so why spend the money?"
There's this weird dynamic in Information technology where professionals doing their jobs really well result in there being no problems. When there is no problems there's not much attention and the lack of problems is devalued by management.
Management value teams and managers who heroically solve big problems and issues.
This is why companies can sometimes decide that their best people are not needed cause "all is so quiet" and fire them.
I have no insight here, but given the NYT isn’t completely ignorant about technology, conspiratorially I might think it could be a way to push someone they didn’t want anymore out —we eliminated the position! (And we just created a new chief of “cyber” position, it’s totally different).
You always eliminate the position so you don't have to pay severance, oldest trick in the book.
What is severances for if not for redundant positions
An odd corollary of this is how being kind of bad can cause massive problems that get the attention of high level people and lots of focus. If you can then fix, or help fix, the problems and dodge blame, it's really quite positive as you get to know the high level people you'll be able to leverage for promotion and career advancement.
Kind of like how everybody thinks Y2K was a zeroburger because nothing catastrophic happened.
Management value teams and managers who engineer huge problems, blame them on someone else, and then pretend to heroically solve big problems and issues.
This doesn't just apply to engineering fields either :D
This is where having someone on the executive team with technical experience can be such a boon. I know I'm lucky with this, but our exec (chief admin. officer) spent years in the IS ('s' is for services) department at our company -- starting as a VB dev back in the 80s. Luckily leadership is fairly forward-thinking for a nonprofit and we've been doing Angular and C# for years now. She consistently goes to bat for our director and has managed to get our CEO to understand the great difficulty involved in keeping an IS operation running smoothly.
I mean, think about it. Hospitals wouldn't fire the surgeons for consistently executing error-free operations.
When I worked at Discovery Channel I remember a call where the CEO admitted they have no idea what they're doing with regards to tech. Made my decision to leave seem smart looking back now that they've shut down Rev 3 (where I worked for a while) and the other division doing R&D. Was pretty frustrating to build stuff that would never see the light of day.
TLDR; execs that know something about tech is super important.
Stop! It’s a re-structuring, not abandoning of infosec. This was one person out of many. Still sucks, but should be seen within context
You are assuming that NYT doesn't care about security, whereas this might be as simple as this particular lady being fired. As others said, her boss and other information security people are still working there.
Future headline: NY Times reporter gets phished. Confidential sources' identities and quotes made public.
Worldwide we are seeing an attack on journalism and the free press. Cutting security resources as a short term profit-boosting exercise can have disastrous consequences. Many people all over the world risk arrest or even death for sharing information with journalists. If they can't be sure that the journalists have an excellent security apparatus backing them, it will be too risky for them to come forward.
The Tim Pool vids that hacks of and leaks from the NYT inspire should be interesting.
I don't know if american journalists seriously need opsec anymore, as nobody in the legit press is writing anything that could threaten the institutions they'd need to protect themselves from. Anyone doing anything dangerous today isn't going to depend on the protection of their newspaper. The only people with skin in the game are actual activists, short selling hedge funds, and maybe some edgy podcasters.
There is this odd dynamic where if you need the additional legitimacy of an old media organization to get your story out, there must be something fishy about it. Like it's a palace gossip leak, and nothing with real consequence or risk.
If your story is really worth your safety, there is the much greater risk that editors will spike it, the way they did with pretty much every major whistle blower story of the last decade. Hollywood was protected for years, intelligence leaks were regularly spiked, and often journalists themselves were complicit actors in the official retaliations. I'm sure the NYT will still have a security role of some sort, but the idea that it could actually equip reporters at a corporate level with the tools to do the kind of opsec you need to facilitate stories at the level of the Intercept, Wikileaks, and other insurgent media seems unlikely.
One of the most annoying things in hacker news is people downvoting any opinion that doesn't match their world view.
I don't necessarily agree with the poster above, but it is obviously not an instance of trolling, also it is not offensive or damaging to anyone.
Same really goes for every social media/news site that allows comments and voting.
Declaring that journalists today aren’t writing anything of importance is a pretty trolling assertion.
Maybe it is a hyperbole. Maybe it is a radical opinion. In both cases, it is not clear it is a trolling assertion, because it fails the test of being clearly an opinion given with the intent of derailing a discussion. A troll is not someone with radical, out of average opinions, a troll is someone that wants to derail a discussion. It doesn't look like that for me. It is no even that much of a novel assertion, in one form or another, I've been hearing opinions like that from people from all sides of the political spectrum since I became interested on politic debates. It is not that far from what you've got reading books like Chomsky's "Manufacturing Consent" or from what you read on a lot of right-wing blogs. If you think this is an incorrect and unjust assertion, and I would be strongly attracted to agree with you, the best course of action is not silencing the speaker, but engaging in rational discussion with them. Then, and only then, if the poster refuses to address your arguments rationally, and starts things like personal attacks, fallacious arguments, and a general uncalled-for aggressiveness, we could justly label them as a troll and act accordingly, not before.
Ironically, someone downvoted you. Which is a shame. Even not agreeing with what you said about it, I really appreciated the opportunity to present my counter-points to you.
I appreciate your lengthy response.
I disagree (though I didn't down vote). I think the sentiment expressed is fairly dangerous without clear evidence. I had a similar reaction reading what the parent comment wrote as to when I hear people say my vote doesn't count; just by expressing that (wrong) opinion has dangerous consequences.
Sentiments are not dangerous. Textual expressions of sentiments are not dangerous. Real-life consequences are. But often those consequences are not a direct result of sentiments, but of an underlying socioeconomic problem of which poorly articulated sentiments are often mere symptoms.
Suppressing the symptoms and pretending they don't exist won't make the root cause go away. If anything, it will only make the eventual consequences hit us more violently. People will say that the blow-up was sudden and unexpected, but in fact they've been ignoring the warning signs all along.
> Sentiments are not dangerous. Textual expressions of sentiments are not dangerous.
This is stating fundamentally that manipulation, propaganda, brainwashing etc does not work. Which is patently false. So obviously there is a spectrum. Seeing as it's very possible to steer people through words, the remaining debate is regarding what is dangerous and not.
> This is stating fundamentally that manipulation, propaganda, brainwashing etc does not work.
Those things have the desired effect only when the manipulated sentiments result in concrete actions such as voting or not voting for someone, buying or not buying something, treating somebody in a certain way, etc.
I want as much as anybody else to block the effects of these menaces. But the way to do it is to block the pathway from propaganda to sentiment to action (to use a pharmacological analogy), not to suppress the sentiment.
The whole idea of the free press depends on supporting the free expression of ideas, sentiments, arguments, and testimonies and only suppressing actually detrimental actions. As Justice Louis Brandeis famously noted, the answer to bad speech is more speech, not less. Start trying to bury some people's ideas just because they might encourage others to behave in a certain way, and it's not a long way from there to book-burning territory.
> I want as much as anybody else to block the effects of these menaces. But the way to do it is to block the pathway from propaganda to sentiment to action (to use a pharmacological analogy), not to suppress the sentiment.
I'm not trying to twist your words, but does this not entail vote suppression (for example)?
> As Justice Louis Brandeis famously noted, the answer to bad speech is more speech, not less.
While sounding good in theory, the problem with more speech is that what's true doesn't gain as many clicks and eyeballs as what's "engaging". Put that on top of the fact that producing researched quality reporting takes factor X more effort than producing something false that _sounds_ interesting/engaging, and with complete disregard to whether it's true or not.
It then follows that there will always be more low quality news (or in reality non-news aka "crap") to drown out real news, given the basically free transfer costs of the internet.
I wish I was optimistic enough to think that people in aggregate wanted to be educated, but I think our current timeline indicates that is not so. And as long as that's the case, stemming the tides of crap is the only viable option I see, however hard that is to do right.
Book burning was bad because it was suppressive of legitimate ideas. I'm not sure what would have been the association if we only burned books suggesting that eating Tide pods was a good idea.
You can't suppress bad ideas without also suppressing legitimate ideas, because 1) ideas need to be exchanged in the first place before anyone can figure out whether they're legitimate, and 2) the wrong people will inevitably get the power to decide what's legitimate. I'm not being more optimistic than you. I'm just being realistic.
No, I'm not advocating vote suppression. I'm advocating education. Which, as you said, looks like a lost cause, at least in the United States. But if there's no way to win this war without suppressing and silencing somebody, well, so be it. Letting people consume crap doesn't seem all that bad compared to violating civil rights.
Moreover, the sentiment expressed in the parent post that we've been talking about doesn't seem all that different from your observation that there will always be more crap than real news and that people in general don't want to be educated. They're both statements about the current state of journalism and news consumers, albeit with different kinds of exaggeration and flourish. We could talk all day about the causes of this problem and how we might fix it, but allowing people to vent their frustration about a problem is not part of the problem.
yep. once upon a time the sources of information for Greenwald's stories on a particular three letter agency may have sought out the grey lady, but those days are long gone. the hit piece on him afterwards removed all doubt that the NYT is no longer carrying its pentagon papers legacy.
the US media serves at the pleasure of the King. only a fool would attempt to blow the whistle with the NYT (or NPR).
NYT continues to break important, 'government source/whistleblower' journalism. Pulitzer is an obvious reference of recent and consequential stories including a description of a 'deeply sourced' story right up top [1], amongst volumes and volumes more reporting.
https://en.wikipedia.org/wiki/List_of_Pulitzer_Prizes_awarde...
My response to the OP about eliminating this director of security role was in regard to the need of a newspaper for that senior security role. The stories in this page of listed Pulitzer Prizes would not necessitate the level of operational security that a few independent journalists require and use every day.
The NYTimes still does journalism, and still has an important role, but the need for such a direct cybersecurity role seemed diminished (and management seemed to agree) - and would probably get in the way of less sensitive work if you had to put everything past them.
To some others in this thread, "troll," seems to have come to just mean a provocative outsider view.
What most journalists do does not require a higher degree security to achieve it, so yes, that is disappointing.
It's really impossible to pass judgement on this decision without hearing the reasons.
Reading between the lines (and using common sense) suggests that the NYT does have a security team, only that its focus is larger than just the newsroom. One scenario therefore would be a consolidation of security roles. The "Head of Newsroom Security" position would no longer exist, even if there is/are dedicated people with that portfolio.
Nah, don't think it through. Just react. Those idiots at the NYT are so thoughtless and naive.
From a PR perspective, it is possible to pass judgement. The clear judgment here is that this move, in the way it was handled, created a PR problem for the NYT at a really poor time for it to have this sort of PR problem.
It may be that the new NYT CISO feels that newsroom, journalist, and source defense is a) critical and b) better handled by eliminating this role.
Every security person would agree with a). Given the visibility Runa had and the positive PR she created around this unique need, b) is not the outcome one would predict.
There is always more to the story than the headline, but as the NYT knows the headline is important in its own right.
Here, the NYT wrote the wrong headline.
A director position is a managerial role, not a security engineering role, moreover a director is typically a manager of other managers, who in this case has at least one more security manager above them before the change. I am not a fan of measuring a firm's commitment to security engineering by counting the number of managers in this role, rather than looking at the quantity and quality of engineers. This could be a flattening of a hierarchy or it could be something else.
Tidbit - they have a post on /r/netsec for application security engineers (so they are at least growing the team)
https://www.reddit.com/r/netsec/comments/dc9zia/rnetsecs_q4_...
July 2018 NY Times article about the person who just lost her job:
https://www.nytimes.com/2018/07/24/insider/meet-runa-sandvik...
I've worked for one of the NYT's subsidiaries and personally witnessed how their security posture changed (for the better!) after they were acquired by NYT. I was told that these downstream changes were due to policies laid out by Runa and Runa's team.
NYT will come to regret this decision. Hopefully, for their employees/readers/journalists/sources/etc. sake, it's only because of the bad publicity.
To anyone thinking "that's such a bad move that it makes no sense", it's not you: my entire Twitter timeline of security professionals and journalists reacted the same way in unison.
https://twitter.com/SarahJamieLewis/status/11867779666063400...
https://twitter.com/fugueish/status/1186779963975843842
https://twitter.com/Pinboard/status/1186781483031089152
https://twitter.com/mik235/status/1186781955183874049
https://twitter.com/dangoodin001/status/1186780837750046721
https://twitter.com/osxreverser/status/1186779010073858048
https://twitter.com/mshelton/status/1186784191427465216
https://twitter.com/josephfcox/status/1186778165798166531
https://twitter.com/0xabad1dea/status/1186785548746346496
https://twitter.com/a_greenberg/status/1186786727530323970
https://twitter.com/evacide/status/1186786743774658562
https://twitter.com/str4d/status/1186787004635205632
https://twitter.com/count3rmeasure/status/118677928069453004...
I think this tweet by Runa just yesterday is a perfect example of why her role was fundamental to the NYT's mission.
https://twitter.com/runasand/status/1186206876381384704
> I think this tweet by Runa just yesterday is a perfect example of why her role was fundamental to the NYT's mission.
> https://twitter.com/runasand/status/1186206876381384704
I'm trying to understand what she's trying to say by this tweet and those screenshots and can't. Could you explain?
She worked directly with the journalists so they did not need to ponder on who to ask a security question, they did it as part of the writing process.
It doesn't sound like director position.
https://news.ycombinator.com/item?id=21330609 links an article about things she did there.
My reading of this is that in the story on the left, the online security experts were so easy to contact that it was super easy to quickly forward a suspicious email for them to evaluate.
In the story on the right, even though the reporter basically gets threats of violence (the pistol), they do not even know who it is that they should be contacting about that.
I guess this illustrates the benefits of having a single point of contact for these types of online security issues that everyone knows to contact.
How many people are still under the CISO at NYT? I’m getting spidy-senses tingling that there was bloat in that part of the org, not some insane “we don’t need security” type of angle.
EDIT: it looks like NYT hired a CISO around August https://www.google.com/amp/s/www.csoonline.com/article/32040...
A high profile CISO doesn’t want some pretender to the throne making noise in another org.
This definitely sounds like office power politics dragged into the public square. One more reason to hate Twitter.
Or at least the users who conflate their being forced out with a lack of commitment to infosec
The NYT had been hiring like crazy for a few years. Given the financial state most of the traditional media is in, this looks more like plain old cost-cutting on intermediary management layers.
This. The most likely scenario to me seems that NYT is seeing a very clear trend after several years of flaunting a complete lack of accountability, highly controversial (not in a good way) hires, and obscene levels of bias for "the newspaper of record".
Like most Leftist media agencies, it's probably seeing some tough times coming up, so it makes sense to cut costs in areas that are not attracting subscribers.
How do we know the stated reason is the real reason?
The one thing I don't see being raised anywhere is that it's incredibly common in civil society for folks who are "shrill" (supportive of equality for all races, gender identities, etc) tend to be pushed out for "lack of cultural fit".
One of the problems is that a lot of people who are nominally "supportive of equality for all races, gender identities, etc" are actually openly hostile to cishet white men with money.
I think it's possible to separate those two things and I have this hypothesis that you will get further if you are careful to do so and are less likely to be called "shrill" and pushed out.
The fact that the racist Sarah Jeong still works there weighs against this theory. The Times is depressingly “woke.”
Wouldn't wanna jump to conclusions from a single tweet, without hearing the other side of the story. Like i have no idea how NYT internal security organization is structured and what the bigger picture is.
Employees that send out critical tweets on the day they are let go are typical in an emotionally driven mode. So, I'm sure we will hear more soon.
This whole thread is a bunch of people reading into a situation we know nothing about. The truth of corporate structures is that they vary widely, and we can’t really read much about NYT’s commitment to infosec through this move, especially since it came from a party who was personally impacted.
Very weird, there are much less prominent and less targeted corps with ciso's lol. Their loss,lady is a freaking legend.
Bit of a perspective: Companies sometimes keep security staff but have them report under a director of some IT department. Companies are also horrible just horrible about how they perceive the value of an infosec position, the ROI is you don't get pwned. Period. No money savings,no contribution to the bottom line. Not dissimilar to a good insurance policy. I partly fear because it's up to the whims of some exec or some catch phrase they hear somewhere that changes their perception of what value we bring to the table where as engineers build,admins run systems and fix breaks.
https://www.nytco.com/press/erinmichelle-perri-joins-the-tim...
Yeah, NY Times agrees with you. They have a CISO.
One has to wonder if there’s political reason for this decision by the NYT, given Ms. Sandvik’s early involvement with Edward Snowden. Surely this must have made for an interesting dynamic at such a newspaper.
Why would they dislike someone affiliated with Snowden if they published based on Wikileaks data?
https://en.wikipedia.org/wiki/United_States_diplomatic_cable...
(CTRL-F "New York Times")
Oh no. Just a few days I reported a vulnerability in their billing system which has privacy implications.
I am still waiting to hear back from them.
One shouldn't jump to conclusions and assume the security function is being eliminated.
Positions can be eliminated for a number of reasons. Reorgs, personnel issues, and redundancies are just a few possibilities.
Putting your former employer on blast publicly is a good way to show future employers you might lack judgment.
I just saw Runa speak at kawaiicon (kiwicon) in New Zealand, giving the keynote speech, and it was quite evident she not only knew what she was doing but applied it skillfully in the context of an internationally investigative journal. They no doubt have nation-state actors working against them and to infiltrate, and in the light of the both present and coming tsunami of security issues, I cant begin to guess what her employers are thinking in eliminating her role. She will fair far better than the NYT in this decision, that's certain.
Management by Spreadsheet: Look! +140K added to the bottom line!
The mainstream media is like a Diebold voting machine... it's easier to not measure what you're not going to fix.
PSA to future anonymous whistleblowers: don't engage the NYT or you are now more likely to be unmasked.
Interesting orginization. The "just a Newspaper" cover is getting old though.
https://gawker.com/here-are-some-top-n-y-times-editors-and-s...
Information security is as unnecessary as a public editor.
https://www.politico.com/story/2017/05/31/new-york-times-pub...
edit: /s
The reasoning for eliminating the public editor was that today, social media does a far better job at it than anyone in-house ever could, especially considering the widespread view that it's impossible to independently criticise one's own organisation.
Which is, of course, ridiculous. The public editor (or ombudsman at WaPo) served a crucial role in giving official "news" status and internal information about drawbacks in their own reporting - neither function which can be filled by randoms on social media.
I'm assuming this is ironic?