Human Rights Watch Needs an Information Security Director

I'm sure it pays less than the industry average, and the stakes are much higher than the average. But if you want to be a Director of Information Security that makes a difference, Human Rights Watch is hiring.

Posted on May 18, 2017 at 5:48 PM • 11 Comments

Comments

Ross SniderMay 18, 2017 6:52 PM

These types of posts in peace and human rights groups like HRW, The Tor Project and Wikileaks need truly honorable people at their posts - people who can rise above nationalism to serve against injustice whereever its origins are.

65535May 18, 2017 11:36 PM

Ross Snider is correct. The groups need security badly from the most powerful actors criminals. I am not that good. But, I am sure some of the other contributors to his blog could fill the position. Cough, NickP, Clive and others.

Clive RobinsonMay 19, 2017 4:29 AM

@ 65535,

But, I am sure some of the other contributors to his blog could fill the position. Cough, NickP, Clive and others.

Small problem, from the job spec,

    Willingness to partake in extensive global travel is required

I'm still banned medically from flying...

But on another note, as I once said to Nick P some years ago with regards to travelling across borders with laptops etc "I doubt I could harden a PC against the likes of the NSA" when they can get there hands on it.

One of the biggest dangers facing people working for such organisations and those that they need to talk to is there location being known, likewise to whom the talk and when.

Taking equipment through customs is a bottle neck where not just you but anything you are carrying can be not just identified but subverted against you in some way.

For instance it's highly likely that the US laptop ban will spread out. Thus you will have to hand it over at check-in along with identifing information and you will not see it for some considerable time to come, which means "Evil Maid" / interdiction attacks need to be considered the norm there from now onwards. Likewise camera / audio equipment will be joining the "take away list" fairly soon.

Which means we will be lucky to keep our hands on our smart phones in the near future.

The upshot as I pointed out some time ago is "crossing the border tech less" and sourcing it at your destination. Which then means having the considerable skill and knowledge to secure it then and there prior to connecting to the Internet and then pulling in the required user environment. This alone can be used to flag you up to Nation State SigInt agencies.

I can think of solutions to some of these problems and have mentioned a few here in the past, but the real issue at the end of the day is "human". Training in and ensuring proper OpSec at all times is difficult enough that few people can reliably do the basics even in the Mil and IC domains.

Dirk PraetMay 19, 2017 6:57 AM

The job description, required qualifications and experience totally sound like my cup of tea. I can even add a reasonably neutral nationality and excellent linguistic skills, but am unfortunately not a suit and tie kinda guy, which in general tends to be a total showstopper for this type of positions.

@ Clive

Taking equipment through customs is a bottle neck where not just you but anything you are carrying can be not just identified but subverted against you in some way.

Unless you're covered by some kind of diplomatic status, my recommendation would be traveling to high-risk countries (USA, UK, Russia, Saudi Arabia, Israel etc.) without any electronic devices and getting clones to destination by other means (e.g. DHL to alternative trusted address under different name). An alternative approach is to wipe/factory reset/load with base image such devices before departure and recover from encrypted backups at destination.

Anon 1984May 19, 2017 8:57 AM

Ever had luggage disappear for 12 hours after arrival, and the airline refuse to pinpoint where and when they last knew of the location of luggage.

TLA agents have tailing someone for simply purchasing a copy of 2600 mag from Du Pont Circle shop in DC.

Dude can't even imagine visiting States now!

More InformationMay 19, 2017 9:41 AM

@Anon 1984

Ever had luggage disappear for 12 hours after arrival, and the airline refuse to pinpoint where and when they last knew of the location of luggage.

TLA agents have tailing someone for simply purchasing a copy of 2600 mag from Du Pont Circle shop in DC.

Dude can't even imagine visiting States now!

The Ku Klux Klan's underground recruitment went ballistic under Obama's presidency. KKK kith and kin are embedded all over the government pulling stunts like that. Right now I have about half a dozen blonde blue-eyed pasty-skinned girlfriends to dump. (I have brown hair and hazel eyes, so they want to eliminate my genes from their pool, because not even a freckle is allowed to contaminate their pure race.)

Just like the privileged ladies from the antebellum South: murder while male is a capital crime, but femmes fatales are cool, and so on down the line.

Jesse ThompsonMay 19, 2017 6:17 PM

@An Alternative View

Are you confusing HRW (Human Rights Watch) with HRC (Human Rights Campaign)? I can't look it up just now on mobile, but I am left with the impression that these are simply not the same organizations.

@More Information

That sounds like a tirade of claims desperately crying out for some citations.

@Anon 1984

Chilling story, but likewise requires a citation. Unfortunately I don't have enough unique keywords here to even perform a Google search.

@All three of you

With such evocative pseudonyms and unusual rhetoric, you wouldn't all happen to be the same poster, would you? O.O

GeorgeMay 23, 2017 8:44 AM

I need my fat-cat corporate job until the kiddos are a bit older, but I've been toying with a more service-oriented job for a while now.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.