Category: Shmoocon

That’s All, Folks

I watched the final bits of Shmoocon.

Lots of the typical stuff I’d expect.

There’s been lots of lessons that have been learned amongst the staff and participants.

You build on others’ previous successes, and end up creating something better.

The assembly of the community, however, is something you really can’t replicate.

I’ve had bits of seemingly-unusual connections. It probably started with my brother marrying one of the Hack-of-Halo staff’s sister. (I don’t know that he’s been around the past few years….he’s actually been b/uilding more humans…)

So, the charge from The Potters was to go find or build something else (using what you’ve learned at Shmoo…).

The personal connections, however, are something I didn’t really create many of.

Do people know me because of my attendance at Shmoocon? Um. Probably not very many.

I am very introverted. When I started attending, I was doing IT work amidst my regular overnight radio duties. There’s a lot of things you can do in the IT world in the middle of the night. When you’re the only person working, so long as the stations are on the air, you can do whatever you need to do.

As things have progressed, however, I’ve had moments where the NoVA groupthink really bothered me. That’s probably a lot of the reason I didn’t want to spend my very-limited funds on coming to DC to participate.

I did enjoy socializing more when I was younger, but that’s kind of worn off as I’ve gotten older.

This year, with my body really betraying me, I spent very little time down on in the rooms.

Could someone do something similar that’s all done with the advances that have come with advances in network technology? We’re doing seminars these hours, then drinking for a few hours afterwards.

At the same time, I wonder how many of the people who were so amped about Net Neutrality in, say, 2011, would have ever been okay with Ajit Pai at the FCC.

I am absolutely amazed at the speed increases. This was supposed to be impossible, so it was terribly important to constrain things into what seemed possible not very long ago.

If you’d asked me in 2014 if I’d ever see Gigabit speeds almost everywhere, I’d have said you were nuts.

I’ll look around, but I’d really like something virtual. I do like drinking my own liquor, showering in my own shower, and sleeping in my own bed.

I can get fascinating food. Maybe thee’s something that can be done to urge people to try things they never have before. Still channeling this.

The trip to DC tended to help me get out of my comfort zone, and try things I wouldn’t have.

So, will I miss Shmoocon? Yeah. But I think there’s ways to find replacement absent staying in a decaying hotel.

And if there’s interesting to watch/listen to, I can write about them.

CouchCon

Headed out early after another fitful night of sleep. I’m not going to disparage the hotel; it’s something else that got really f’d with the pandemic.

I know, I know. If I had my mask on, I wouldn’t notice the loud HVAC, or malfunctioning shower. That I expect those things is another example of my privilege. I would tell you to go check BlueSkeet for confirmation. No, I shouldn’t say that, but it’s really sad that a small fragment of smart people are retreating into their own little world. Was Reddit not enough?

So, onto the talk. I wanted to watch the one on hot dogs, but two of the three channels are cricktets. The one about MLOps is the only one with sound, so that it is. Some information about how AI models are thrown off by stuff from botnet upvotes. (And I’m thinking of the days way back when when some folks were showing off driftnet, which was a program that just displayed images from HTTP sessions. Someone, and I shan’t mention who, wrote a curl script so that it looked like people were looking at some really sick stuff. See the popular section here.)

And the video dropped on that one. Try Build It again. And there’s sound. discussion of embedded device something or the other. They destroyed a printer earlier.

Listening to the stuff about powering over USB-C, using Arduino is interesting. The collection of various RaspberryPIs kind of shows how short my attention level is lately.

I do think kids today are missing out on the elation that comes from making the magic smoke come out of hardware with software you wrote.

And that stream fell down. But now the others are back with audio. Juggle around until next ones start…

And I ended up watching the presentation by the guy from The EFF. I appreciate most of his bits about treaties, and authoritarian governments that are to those treaties.

Lots of back-and-forth with the language of the treaty that allows the signatories do actually do whatever they want despite being parties to the treaty.

Why worry about it at all, then?

That’s kind of what leads me to thinking that every law, every treaty, should have a mandatory end date. If everyone thinks that the principles are good, it shouldn’t be a big deal to pass something similar again.

Do the Russians, Norks, and Mullahs adhere to treaties ratified by previous governments?

I worry, too, about things that end up being backdoors through previously-ratified treaties. I admit that my thinking about that is heavily-influenced by what happened with the pandemic.

No. I won’t carry a vaxport. If you wanna throw me in prison because of that’s what it is. Do it. Do it publicly. Have no shame about it.

I will watch the rest, and give final thoughts as I consider things. I will miss ShmooCon, but some of the things I saw this weekend are reminiscent of some of the things I saw in about 2012/13.

I am happy that there seems to be some pushback against it, but I worry that the pushes after Trump’s election, and with the pandemic, people are getting pushed more into small walled gardens where they don’t see or hear things that they don’t like. I admit I’m kind of guilty in this sometimes, but I really would like to sample lots of different sources, and make up my own mind.

The things discussed places like The Fifth Column, Blocked and Reported, and The Free Press give me a lot of things to consider that are different than the near-uniformity in major corporate press.

*shrug*

So, off to listen to the last bits of this.

Chunking

No, I’m not feeling that lousy, but my legs really aren’t working well. Switching out heavier laptop bag for smaller Shmoo bag helped, but I was still pretty exhausted with just what I did tonight.

Trying to decide if I want to come back for the final bits of Shmoocon tomorrow.

*checks schedule*

Yeah, I’m gonna go home. There’s not anything I think I’d miss if I wasn’t here in person. Nobody needs to see the staggering guy in an NPC mask. Hardly anybody recognized me, anyway. I don’t think there’d be anything I can really get.

So, in-person chapter closed. I’m happy I’ve done this so many times. A little bit of regret that I lost the inspiration to give a talk, but I’ll probably just sneak off by myself again. I don’t know that I actually attended many of the early ones; I had to get back to Norfolk for my Sunday Night airshaft.

Alcohol was largely eschewed early on, too.

I don’t know that I’ve seen anything very exciting, however. As my health has failed, and my work has gotten farther and farther away from the nuts and bolt, I’ve lost familiarity with the awesome haxxor tools.

I actually was describing something to a INFORMATION SECURITY PROFESSIONAL about reading raw wire data on something that’s going to generate a bunch of network traffic.

Go watch the stuff in … and I stopped myself from saying Ethereal in favor of Wireshark. You’ve done that, right? Uh, yeah, but not in a long time.

Yeah, me either. But it shouldn’t be anything very foreign. You make a suggestion that you know is going to cause a ton of network traffic…turn on Wireshark and watch for a few minutes when you do it to see if things blow up.

Not rocket surgery.

*distacted for a bit with a problem*

Yeah, I’m going home in the morning.

I will miss Shmoocon. Maybe somebody could do something in, say, Ashland near Kings Dominion when the park is closed?

I think I’ve figured out what I need to do to pay Redacted‘s protection racket.

Whether that matters is another question altogether.

Will tune in some things at home tomorrow morning.

ShmooCon Day 2 Morning Belay It

Really not feeling great this morning, but I was able to get back up to the room to watch.

First one was about tracking Kubernetes. I’ve not done anything, really, with Kubernetes, so this is kind new for me.

Lots of discussion about thing with /dev/bpf in Linux. I didn’t realize that it was still there?

Transitioned in to discussion of risk analysis and prioritization. Too much effort is being spent

This is very applicable to some of what I’m doing for work, but it’s something a lot of the sekurity mastars don’t understand. I’m thinking of one IAC I was working. Yes, it’s a Medium vulnerability. Yes, that finding negatively-affects the overall system score.

But I’m pretty sure the number of users with privileges to exploit it can be counted on one hand, and implementing the system change would take weeks, and, use all system resources during the implementation.

Next talk was about how exploitation works. Some interesting information about how to exploit things like Totes-Didn’t-Used-To-Do-Evil KDE Browser extensions.

“John The Ripper” can crack things like the Apple Passwords utility, which is actually pretty good unless you get the Apple account password.

PowerShell script available for testing Windows hosts for common accounts.

Recommendation of auditing accounts that might cause a problem if they’re compromised.

Went into this one with great skepticism.

There was a talk, and it probably would have been like 2018, that really focused on Russian influence in the 2016 election.

This isn’t taking that tack. The speaker didn’t do a good job disguising his political bias, unfortunately.

Nothing with the sort of things that I think might repair the Presidential system, at least.

  • Expand the House. Take a state’s population, divide by the smallest state’s population, and round UP to the next whole number. The 435 limit in the House isn’t set anywhere other than by legislation from the Wilson administration.
  • Do electoral vote allocation the way Maine and Nebraska does. Winner-take-all goes away, unless a candidate actually gets a majority of the vote in a state.
  • Repeal the Seventeenth Amendment

Bits on foreign interference. No evidence of it actually provided, just as it wasn’t with the 2016 election. When a Republican wins, it’s foreign interference. When a Democrat wins, you can’t even question it.

In the Presidential elections where I’ve been old enough to vote, I’ve mostly voted for the Libertarian candidate.

Not impressed with that one.

Time to rest a bit, see if my body will allow me to go back downstairs to watch more in person. Ugh.

End Of The Moose

Settling in to my hotel room for the final Shmoocon. Early check-in? Sure, why not?

Perusing the schedule for what I might want to see.

Kinda tempted to bounce out early on Sunday. I can watch closing remarks from home. While I’d like to do some schmoozing after closing remarks, there’s a tiny dog who needs my attention at home.

Looks like mostly Belay It, with a smattering of Bring It On.

Shows just how little building I’m doing these days, I guess.

So, here we go.

Busy Week

Hi!

Yeah, I’ve been incredibly busy all week. Maybe that really affected my attention, but I generally do feel okay about some of the things I’ve pushed back on with work.

I do think there’s a hard push to do things in the most stupid, expensive ways possible, but there’s not a ton I can do about that.

I still am tempted to stick with the halve-and-grow-back-as-needed approach to just about everything.

That approach has worked for me in so many instances. But, like, the vendor says you need to buy this really expensive stuff!!1! Noted. It’s not your money. You were hired to make things work effectively, and the vendor “requirements” aren’t your requirements. You have to make the product work, not sell hardware or software.

It’s even more of an issue when one vendor is selling both.

But to do proper work requires doing engineering using tried-and-true practices, scream waterfall scream, but it works. Yeah, I know getting someone important to sign off on your engineering work takes time, but you’re spending other people’s money. In the case of tax money, it’s money that’s been I forcibly taken.

Do the right thing. You have to look at yourself in the mirror.

That admonition leads me into the news section of things. Yes, I’ve been paying attention even if I haven’t said a lot…..

The UHC murder case. Lots of speculation from some really terrible people. Oh, it was justified because he’d been denied care by UHC. This is what you get when you’ve got for-profit insurers denying care. Any reasonable person could understand why he did what he did. Except he wasn’t insured by UHC, had been involved with psychotropic drugs, was from an affluent family, and…. Senator Warren, I will continue to ignore you, still, as best as I can. Maybe some Pow Wow Chow can distract me. The Substacker, formerly of The Old Grey Lady, and Space Cowboy Jeff’s tax write-off, I will refrain from raw-dogging anything to do with you.

Daniel Penny was acquitted. I’d just assume avoid NYC until Alvin Bragg is gone. While I hear things that NYC is better than it was last time I was there, they elected these people, and deserve the consequences.

Looks like I am going to go to the final Shmoocon. Never got a response on the sponsorship tickets, btu I’m pretty sure there is one available for me through a friend. If they ever get back to me on the sponsorship, I’ll stick to my promise….and have probably two tickets to move. But I am going. Room booked. It’s earlyish this year, so it’ll be cold. Given some of the past experiences, that seems absolutely appropriate. 2009 was such an odd experience, but it’s something I’ll remember as long as I live. Or was that 2010? I don’t remember. Pretty good con content, and it snowed. Hard. So hard that the atrium between the budlings collapsed. I helped push a DC cop out of a snow bank. I’ve barely spoken to some people with whom I was formerly close because of things that were said over the then-new Twitter. I really can’t see anything I’d written about it back then. Now thinking more about it, it was probably 2010, because I was definitely having issues that’d lead to my MS diagnosis just a few months later.

Drones. I haven’t been outside to glance at the sky in the past few nights. I’m outside most often early in the morning when I’m going to and from the gym. I haven’t seen anything. Obviously, there’s the information coming out of New Jersey, which coincidentally was where War Of The Worlds was set, Governor Hogan up in MDDR, etc.. I don’t know. Well, they ought to be shot down!!1! Um. By whom? And what about damage that happens on the ground because of the downing? I don’t know. I’m not sure that putting anyone in prison would fix it, assuming they’re competent to stand trial. But like the Chinese balloon that was shot down over the Atlantic Ocean after it’d cruised across the US, open up, y’all. But I’m also trying to still work my way though the Star Wars movies simultaneously. Are they like clones?

This morning, saw something that reminded me of the reasons I’m very much down on the reinvented Libertarian Party.

If anyone reading is interested in knowing why this is an antisemitic trope, I’ll assume that you’re savvy enough to STFW, and find out.

And I think I’ve written enough for today. Off to do some of the other things I need to do today.

18

Let’s write about MS.

Flashback to question from 2017, and what I was tentatively examining back then.

Are you listed as an organ or bone marrow donor? Why or why not?
Yes. Because I really don’t need them after I’m dead; what do I care?
Whether there’d be much to salvage from my diseased body is a different story, altogether.

So, more 2012 recycling….

You see what I wrote above, so again….

Are you listed as an organ or bone marrow donor? Why or why not?

I don’t know? I don’t have a driver’s license anymore, so I don’t think I had to answer the question about the organ donor bit.

Would anyone want my bone marrow with the various maladies I’ve developed, the abuse to which I’ve subjected my body? I don’t know.

It’s incredible how heavy these questions seemed back then. Today, who really cares? By and large, anything that’s in my body can be used by whoever needs it.

I have told my wife that I would like whatever’s left of me to be fired into the sun. If they haven’t figured out the process when it happens, cremation works.

I hope that I’ll find motivation to do a few more in-advance prompts tonight/tomorrow. I’ll probably spill my Thanksgiving plans Monday, then write about how it went on Friday.

I had a pointer here wanting to write about how the hopes of success on this were vanquished. My skills searching the web are really failing on this. NHI study. It looks like a lot of the promise Dr. Zamboni had found weren’t reproducible.

I remember reading MRI results not terribly long ago where the analyst did seek to rebut the CCSVI diagnosis on my results; my head drains just fine.

Nobody knows what caused my MS.

I’ve been on Keysimpta since last summer. I really don’t know how well, or if, it’s working. I don’t think I really wrote too much about starting my current DMT.

The first half-dose of it was absolute hell. the second wasn’t fun. The third half-dose wasn’t really much to talk about. Then onto the regular once-a-month schedule. Oddly enough, my day-of-the-month for taking it is the 29th, which worked this year. I don’t know what I’ll do in future years, since for 75% od years, there’s no February 29th.

Since I’ve been on the drug, I’ve noticed some end-of-dose weirdness a few times. I do wonder if I’ve had at least one exacerbation, but I won’t know until I have an MRI this summer.

But are the somewhat-strange things I’ve had going on just because I’ve been over-exerting myself?

I don’t know.

I’m going to stick with the exercise stuff I’ve been doing at least through the end of the year. I don’t know what I’ve really seen a ton of benefits yet aside from increases in strength and endurance. I don’t know that there’s that much discernable benefit yet; I haven’t lost that much weight.

My balance certainly is better despite falling this morning after being startled by a dog in the complex.

Hey! Can you take out the things in the flower beds with thorns?

But I’m going to forego the new COVID shots. I don’t know that I’d get any benefit from it, and I don’t want to do anything until I’m sure that everything’s settled with the DMT.

I do have another colonoscopy next year.

I wish there was a way to combine the propofol for both procedures. I wouldn’t care at all about being stuck in the tube if I was on that…..

But, thankfully, I think I’m finished for the year with medical stuff.

But I did finish a lot of my most-pressing work. Hopefully I can finish paying my protection to the certification cabal again, and be finished.

I’ve tried to get things set up for the final Shmoocon, but haven’t gotten a response so far. I want to buy two of the sponsor-a-student tickets to make sure I can go, and maybe set up one of my friends who’ve been around for a long time.

.

Along those lines, I’m halfway tempted to see about setting up an alternate version at the Wardman Park Marriott again just for commiseration.

You member when the glass roof collapsed?

Yeah, I member.

Turned Out The Shmoo

Wrap up in a sense.

My legs really weren’t working well yesterday morning, so forewent the talks, and just guzzled coffee (and this very strange gluten-free cranberry-orange muffin) in seating area up front. Telmnstr found a few people he knows, and Squidly1 floated in for a few minutes.

It was fluttering snow…and, as I said, I wasn’t working well physically (and I’m still not a day later), so I cancelled my short-bus ride, and grabbed a ride back to my perch inside the Beltway Swamp

We watched the couple of final things, including the closing from the sofa in the living room. My wife, who was just my girlfriend when she accompanied me to some of the early conferences, seemed to be mildly interested.

But after next January, they’re finished. Maybe someone will work up a replacement. Maybe not. Six of one, half-dozen of the other.

I am planning to go to the final. The trip is a nice respite for me, but there’s often things that leave me just shaking my damn head, sloshing around my already-scarred brain.

I’ve been really digging into heterodoxy lately. There’s certain things you’re supposed to believe, and do but few people really ever quantify whether these things are effective.

But towards the end of the closing, they gave prizes for the lock-picking competitions.

It’s kind of fitting accompaniment to this thing’s tagline. No security measure is unbreakable. That allows you to delete anything, and everything.

So you spread things around so you can reconstruct later if you want or need to.

Listening to this on and off as I write. This kinda plays into part of what I was doing at the hotel, and with the conference. Just pay the bits to grease the wheels, make your experience easier. I bet I could have navigated my suitcase to and drom the hotel room.

But I didn’t.

Why?

Because one, my body was rebelling against the strain I was putting on it, and two, paying the fee really isn’t a concern for me, but it might make the day of the recipient. What I paid to save me the pain of doing this, cost me less than fifteen minutes of my work labor.

Just pay it, and move on with your life.

That kind of relates to the Finding Freedom podcast ep. I appreciate what the guest is doing building a different social media app.

Great.

A lot of those really bad companiesTM make their money off scanning and selling your information.

Got it.

Pay ’em, and they stop doing that.

I apologize for getting really distracted here.

Shmoocon is, and was a lot of fun. I will do what I need to do to go to the last one next year.

Probably even if they make me wear a face diaper.

Shmoocon #7

I watched the last ones in “Belay It” on the stream from the hotel room. My legs just didn’t want to walk anymore.

Nothing particularly notable, unfortunately. Maybe it was general MS bleh killing my interest. Maybe it was the random hotel network dropouts.

Did make it down to try and watch the trivia contest. I didn’t;t have a pen to participate, and I couldn’t;t see the questios=ns to try to answer them.

We went to the bar for desert and more drinks. Good conversation, at least. Reminiscing about conventions of the past, and discussions of plans for the last one next year.

I think I’ll miss Shmoocon, but the whole experience is completely different for me than it was in the early days when I was coming up from Tidewater.

I have to wonder how much the mandatory masking is killing session attendances. Who knows?

Shmoo #2

Watching this about FEDRamp.

Off-the-cuff notes:

There’s a bot on Discord that searches for FIPS, and replies “FIPS is stupid.”

DoD has a strange ix of FIPS and old AF DoD controls

You should be using KMS.

Tenable now does have now have FEDRamp auth for scans.

Focus on identity control and change management.

You do inherit some things from Azure or AWS, but it doesn’t fix everything. It does make documentation package simpler.

Advicee is to use FEDRAmp mod over ____ (for small biz). It helps some, but very few products can actually use it. Tailored? Taylor’d?

Still not clear how POA&Ms can be aggregated.

If you’re in planning, use Rev5 for new things. Other Rev4 can stick for a while, but don’t do anything new.

Push to actually make one-stop shop.

LOE for POA&Msmis very, very, very high.

OMB has solicited comments on IT regulations, related the initial guidance on FEDRampl

Question about using LetsEncrypt certs on FEDRamp. (And you’re reading on a site sekur3d by LE..)

I do kind of understand what they’re trying to do, but I have kind of an automatic repusion towards it.

The idea of sending out really not-even-beta-leval solutions really just bothers the hell out of me.

zOMGSEKUREREST bits, showing that things are good is one thing…but you should have to show that A) the product sorta kinda works in the lab first, and B) scans of that sorta kinda working product happened before you plugged it in to the fucking Internets.

Too much of what I’ve seen lately fail on both of those questions.

But we’re moving way faster than before…IN AGILE SPRINTS….putting out things that probably don’t work as intended, and have quesitonable security.

But, like, it costs a bunch moar, so it must be good.