Five

I went in to this one with a fair amount of skepticism. My worries were more than verified.

IPv6 isn’t insecure because you don’t understand it, and your antiquated tools don’t work with it.

ZOMG, there’s a separate deprecated Linux firewall tool for dealing with IPv6!!1!

So write rulesets that deal with that difference.

WTF, my segment scanning tools don’t work the same way they do with the one-true-IP ™.

The v4 network stack was introduced in the Nixon Administration. My parents, half of whom are now dead, weren’t even married.

YHGTBFKM; you can alias almost any address.

Really.

One of the guys actually tried articulating that PAT (probably not NAT, guy. Maybe if you’d paid any attention in your networking classes, you’d know that).

What PAT does do is allow you to effectively wall-off your enclave to “protect” the assets inside it. You can do the same thing with a v6 netblock, too. One of the things I frequently listen to is very concerned about the “5G revolution,” and how it might allow the Chinese to control everything inside the US. Um, no. Any network security guy who’s paying attention can block things going out just as easily as he blocks things coming in.

I guess my message is: learn how to track things other than IPv4, and write your filtering rules on traffic both ways.

Four

So, Sunday’s talks.

First up was this one.

The concept is good, I suppose. The discussion of how to do something like this, dealing with manufacturers, VCs, etc..

During the talk, however, all I could think about is whether you needed to write in LISP to get funded by Y-Combinator.

After thinking about it more, however, I have to wonder how long this will be viable. Yes, it’s a good solution right now, but what about two years from now? Will this USB device be at all useful in the future. (Snark: Maybe there’s something I can look up with my CueCat to determine…)

All that said, it certainly has potential to be more secure, and useful than, say, an RSA token.

Interesting talk, though.

Three

This was perhaps the most thought-provoking talk I’ve seen so far.

That said, it wasn’t probably because of the reasons the presenters wanted.

A family member is a data scientist. He and I have had discussions about using data in the decision-making process.

Yes, this presentation presented a ton of data. That said, in my opinion, however, little of the data they collected really matters for either decision-making, or product quality.

The third speaker was from a well-known group that uses data to drive its recommendations. Much like this unnamed organizations automobile and computer recommendations, I don’t place a lot of weight in those recommendations.

In a lot of circumstances, even with all the collected data, the recommendations are really just personal preference.

I’ve run into that, too, with some of my professional experiences. A recommendation was preferred, and it was my job to doctor things so the pre-determined winner actually won.

A former customer, specifically a former GS-14, didn’t like that sort of engineering.

Perhaps I’ll find something more compelling to write about this, but things aren’t really coming together at this point. My head is swimming from all the talks today.

Two

Watched this one.

Overall, a good speech, and I swung around to speak to the speaker afterwards to see if she might know someone looking for a quick govvie hire. (I am Schedule A Disabled, Purportedly, that’s a good way to find a Federal job. Given that I’ve been looking for something like four years now, I’m not sure about that.)

She ran through a lot of the numbers about InfoSec job prospects. She did touch on the thing that I’m seeing far too often, people with store-bought degrees or “certifications,” who can’t do much of anything other than play Minesweeper. Memorizing things, then taking a purely multi-choice test says nothing about your ability to figure out how to deal with something that isn’t a lab example.

She did change my mind, a bit, on certifications that check up on current knowledge.

I can’t say, though, that the CompTIA family does that. Every time I study to win their latest Minesweeper release, I have to unlearn so many things just to pass the damned test.

One

Watched this, and ended up being the one one to ask a question.

(HTF does the non-coder guy with the scarred brain end up being the only one who asks a question…?)

I understand what he was doing, but I’m not understanding how you could gather any real useful information from the tool unless you have access to the running binary’s source.

The bit he’s using relies on use of the fork() function.

Maybe that’s still widely in use. Perhaps it’s one of the lazy programming techniques facilitated by fast machines, and virtualization. I don’t know. I haven’t written a line of code in probably a decade.

But even for sloppily-written kludges, you can really restrict what binaries can do, with things like setting maximums on processes that can be forked. Hell, one of the old ways to crash a system was a fork bomb; any admin worth a shit would easily be able to prevent that from working these days.

From the coding side, look at this.

The thing to do if running a problematic program, though, is be really stingy with things that could be exploited. This relies on child processes; prevent them by tracking the number of processes created with a clean binary.

Add to that things like cryptographic hashes on the binaries, and irrelevant.

Now this stuff might be useful if you can test binaries in a lab prior to deployment, but I don’t think that’s what the speaker was really getting at.

Ready for Shmoo

Another year, another con.

I almost quipped something along the lines of, “will the delusion continue?”

That’s the wrong attitude to have, of course.

The talks this year appear interesting, so time to go have a nice time.

My attitude, though, has changed quite a bit, when it comes to dealing with the ever-present effort to force people to do things in your prescribed way.

I have a sense that that won’t be well-appreciated, but whatever. Maybe there’s someone there who’ll appreciate my sentiments. Maybe there’ll be someone who actually wants to hear them.

If not, a relaxing weekend of listening, writing, eating.

How About No?

Recruiter called and didn’t leave a message. Called the number back, and, naturally, it’s a huge staffing firm. The person who answered finally figured out who called me, and put him on the phone.

We have an opportunity in (somewhere I don’t live) with (some company who’ll remain nameless).

Uh, no. I’m not in that area, nor will I ever work for (nameless company).

This confused the hell out of him.

Wh-why won’t you work for them?

Because they’re dishonest, and I’m not at all interested in something if I”m not hired as a regular full-time employee.

He still didn’t understand.

Maybe I should have told him just to go fuck himself; perhaps he’d have understood that.

Happy New Year

Christmas was okay. Same for the New Year.

Not a lot going on, other than archiving a ton of email off GMail.

Yay for a day to recover, even if I only had one drink to celebrate yesterday.

Thirty

Wrap-up

The Saints lost to the Cowboys last night.  I don’t know if anyone could have, to be honest.  For the game, I’d give the Cowboys a D+, the Saints an D-, and the officials an F.  In the disgusting hypothetical of being a Cowboys’ fan, a win’s a win.

Somehow I’ve misplaced some of my entries.  More.  Again.  It’s as if I really suck at managing things.  But two wrap-ups — 2012, and 2013.

I don’t really know if the separation between the mood of the two entries is evident.  Though I was a bit discontented in 2012, things really sucked in 2013.  In 2012, my future was really uncertain after there’d been a big change to the contract I was working on had been substantially modified.  In 2013, I was fully suffering the effects of that.  I got laid off towards the end of January 2013, and signed on with the four-letter company for roughly 80% of what I’d been earning previously.  Since I wasn’t able to travel, either, my salary had really been flat since 2010.  2009 was the year I earned the most money, but I spent probably eight of those twelve months working 60-hour weeks.

In no time at all, that was all gone.  I didn’t help matters by drinking away my discomfort.

I haven’t, and there’s a good chance never will, recovered.

What’s weird, though, is despite my conversion to cleaner living, I still lack time and energy to do things really enjoyable.

Or maybe I don’t care about that because I am actually busy doing things I find interesting.

But I do need a break.  And a shave.  And a haircut.

Twenty-nine

What are your holiday plans for Christmas?

To quote Jeff Spicoli, “I don’t know.”

I’m kind of bound where I am, and there’s nowhere I really want to go.  We’re supposed to go to some friends’ place for a short celebration for St. Nicholas’s Day.

I do still have friends I want to see.  Family, *shrug.*  There’s a variety of reasons for that.  Instead of making an issue with disagreements, I just go away.  It’s how I operate.

I think we’ll probably head in to the District one night to see the National Christmas Tree.  Maybe have dinner somewhere nice.  Day of?  I don’t know.  I’d be okay just spending time with my wife.  We actually had a good time doing that last night, keeping each other warm.  Maybe that’s the way things are supposed to work.

I will say that watching the Christmas special she’d chosen was a bit strange with the emphasis on kids.  We’re not having any.  The make-believe world has one Butters Stotch;  a real world incarnation isn’t needed.

Somewhat-unrelated, though, I do need to rap a bit about work.  It’s been an endless stream of job inquiries lately.  At first, I attributed it to lag from my unemployment in Norfolk in 2017.  Now, though, I’m seeing it as mainly laziness from the recruiting assemblage.

First thing — recruiters really don’t know what to say when you refuse a lucrative contract offer.  If it is contract-to-hire, I counter with something along the lines of, “you will make a full time offer during the first six months, or the contract terminates, and you owe me another six months’ contract pay.”  When unemployment was 8%, maybe you could have gotten away with that shit, but it doesn’t work these days.

Second.  Because of the way your clients are operating, I am no longer adhering to whatever you learned in your point-and-click recruiting seminar.  No, my resume isn’t going to be two pages.  It’s going to be as long as it needs to be to cover my twenty years’ experience.  It’s also putting my few remaining full-time jobs up top, and my contract positions in a subsequent section. Not that I think that matters, as you’re using a fucking automated tool to search for keywords, but when you actually do look at it, you might notice that I do direct to the applicable sections.

At some point you have to be firm on these things.

Maybe one of those contract positions would be more interesting than what I have now, but I doubt it.

But it’s time to stop for the evening.  Go take pills, and grab a nap before the Saints’ game.

One more day of the eighth year of this.  I have a problem, no?