Author: sean

Turned Out The Shmoo

Wrap up in a sense.

My legs really weren’t working well yesterday morning, so forewent the talks, and just guzzled coffee (and this very strange gluten-free cranberry-orange muffin) in seating area up front. Telmnstr found a few people he knows, and Squidly1 floated in for a few minutes.

It was fluttering snow…and, as I said, I wasn’t working well physically (and I’m still not a day later), so I cancelled my short-bus ride, and grabbed a ride back to my perch inside the Beltway Swamp

We watched the couple of final things, including the closing from the sofa in the living room. My wife, who was just my girlfriend when she accompanied me to some of the early conferences, seemed to be mildly interested.

But after next January, they’re finished. Maybe someone will work up a replacement. Maybe not. Six of one, half-dozen of the other.

I am planning to go to the final. The trip is a nice respite for me, but there’s often things that leave me just shaking my damn head, sloshing around my already-scarred brain.

I’ve been really digging into heterodoxy lately. There’s certain things you’re supposed to believe, and do but few people really ever quantify whether these things are effective.

But towards the end of the closing, they gave prizes for the lock-picking competitions.

It’s kind of fitting accompaniment to this thing’s tagline. No security measure is unbreakable. That allows you to delete anything, and everything.

So you spread things around so you can reconstruct later if you want or need to.

Listening to this on and off as I write. This kinda plays into part of what I was doing at the hotel, and with the conference. Just pay the bits to grease the wheels, make your experience easier. I bet I could have navigated my suitcase to and drom the hotel room.

But I didn’t.

Why?

Because one, my body was rebelling against the strain I was putting on it, and two, paying the fee really isn’t a concern for me, but it might make the day of the recipient. What I paid to save me the pain of doing this, cost me less than fifteen minutes of my work labor.

Just pay it, and move on with your life.

That kind of relates to the Finding Freedom podcast ep. I appreciate what the guest is doing building a different social media app.

Great.

A lot of those really bad companiesTM make their money off scanning and selling your information.

Got it.

Pay ’em, and they stop doing that.

I apologize for getting really distracted here.

Shmoocon is, and was a lot of fun. I will do what I need to do to go to the last one next year.

Probably even if they make me wear a face diaper.

Shmoocon #7

I watched the last ones in “Belay It” on the stream from the hotel room. My legs just didn’t want to walk anymore.

Nothing particularly notable, unfortunately. Maybe it was general MS bleh killing my interest. Maybe it was the random hotel network dropouts.

Did make it down to try and watch the trivia contest. I didn’t;t have a pen to participate, and I couldn’t;t see the questios=ns to try to answer them.

We went to the bar for desert and more drinks. Good conversation, at least. Reminiscing about conventions of the past, and discussions of plans for the last one next year.

I think I’ll miss Shmoocon, but the whole experience is completely different for me than it was in the early days when I was coming up from Tidewater.

I have to wonder how much the mandatory masking is killing session attendances. Who knows?

Shmoocon #4

Watched this one. Well, the presentation section. They were in the Q&A at least, maybe.

I have the vaguest understanding of what he had done, and was trying to do, with regards to taking control of systems with a rogue keyboard.

Fascinating stuff to be sure, but I keep having this thing pop through my head about likelihood.

Yeah, you can do this stuff, but what’s the LOE, and what’s the probability somebody actually would do it?

When you have physical proximity to a system, can you do it within the access window?

I guess I really considered likelihood when I was younger.

I guess I did some when doing hardware integration, but for something like what was covered in the session, none of this is at all likely to happen.

As I’ve written before, cars and cooking are too-often captured metaphors, but it’s the first thing that came to mind; I’m sure you could manufacture a tire with a bulletproof sidewall, But why would you? It’s going to be heavy, and more expensive than most people whold be willing to pay for a tire.

Coming back to the keyboard, what are the chances someone would be in proximity to your PC or phone long enough to get in?

The vendors are rolling out patches that eliminate the vulnerability the speaker used. It’s a very simple fix. To a problem most people will never experience. That doesn’t mean it shouldn’t be fixed, of course, but why lose sleep over it??

Shmoo #2

Watching this about FEDRamp.

Off-the-cuff notes:

There’s a bot on Discord that searches for FIPS, and replies “FIPS is stupid.”

DoD has a strange ix of FIPS and old AF DoD controls

You should be using KMS.

Tenable now does have now have FEDRamp auth for scans.

Focus on identity control and change management.

You do inherit some things from Azure or AWS, but it doesn’t fix everything. It does make documentation package simpler.

Advicee is to use FEDRAmp mod over ____ (for small biz). It helps some, but very few products can actually use it. Tailored? Taylor’d?

Still not clear how POA&Ms can be aggregated.

If you’re in planning, use Rev5 for new things. Other Rev4 can stick for a while, but don’t do anything new.

Push to actually make one-stop shop.

LOE for POA&Msmis very, very, very high.

OMB has solicited comments on IT regulations, related the initial guidance on FEDRampl

Question about using LetsEncrypt certs on FEDRamp. (And you’re reading on a site sekur3d by LE..)

I do kind of understand what they’re trying to do, but I have kind of an automatic repusion towards it.

The idea of sending out really not-even-beta-leval solutions really just bothers the hell out of me.

zOMGSEKUREREST bits, showing that things are good is one thing…but you should have to show that A) the product sorta kinda works in the lab first, and B) scans of that sorta kinda working product happened before you plugged it in to the fucking Internets.

Too much of what I’ve seen lately fail on both of those questions.

But we’re moving way faster than before…IN AGILE SPRINTS….putting out things that probably don’t work as intended, and have quesitonable security.

But, like, it costs a bunch moar, so it must be good.

Shmoo #3

Ewe Can’t Truss You’re Ears.

Speaker from Totes-didn’t-used-to-do-evil company.

Focus on helping those of us who can’t see very well, or at all.

Lots of discussion of masking things in unicode to try to lure people into visiting bad sites.

I think there might be potential for doing things like confidence intervals, and requirements surrounding the levels required for browsing/redirection. So, the speech to text hit on a potentially-malicious return. The speech-to-text might think it’s 100% confident that that’s what the user wanted.

But you look at the actual amount of traffic to that site, you can say, no, that weird unicode look-alike isn’t what the user was trying to get to.

Were you trying to get to Google, gee-ooh-ooh-gee-ell-eee-dot-com? If yes, hit, “go.” If not, hit “stop.”

For my own stuff, I’m teetering on the edge of legal-blindness. I think last check, I was something like 20/70 in my right (and previously non-dominant) eye, and uncorrectable to 20/400 in my left. I still can type, but some of the predictive things of things like SMS on my iPhone are very beneficial to me.

If I’m not sure, I use a search engine (rarely the totes-didn’t-used-to-do-evil one the speaker worked for….I would say that I’m mostly DDG, with some Bing, and a smattering of Brave), and try to get to the best result.

I do see well enough to do that. But even if I didn’t, I still think there’d be a good way to answer a series of binary questions to get me to where I actually wanted to go.

Shmoo 1

Walked in to this a few minutes late.

The speaker is trying to do some ninjafu on name server setups.

I’ve written far more than anyone ever should about NS setup.

You can easily get back some real garbage on answers.

Feeding it all over TCP/HTTPS won’t fix it.

I think I understand what he’s trying to do with the tool he wrote.

At the same time, I’m not 100% sure I get the point.

You occasionally get bad stuff from NSes.

I don’t know….make sure your shit gives good answers?

If it’s a case where somebody outside is getting bad information from your domain’s servers, feed the problem to things like dynamic firewalls so no traffic comes.

So. you wanna go to footer.com. Their NS responses are suss. No, you can’t visit.

Like sex in the champagne room….

Death Rattles

Muted by the mandatory masks?

I’m here. They announced that next year is the last one.

Kind of have a room to myself for a bit; my roommate, my old biz partner, is running late.

So. Checked in. Going to go watch some of the interesting first-day talks.

Not sure what I think so far, honestly. Some back-and-forth among the assimilate waiting to check in. While the people I was talking to weren’t from a long way away, it was far enough to really justify a hotel room. Since I’ve been up here in DC, I haven’t tried to do the stay-at-home, and see the talks model. While Im inside the Beltway, it just seems like it’d be tedious taking a cab, or riding Metro.

Time to get downstairs….

Move On

One of my various news sites I follow had something about a Chapter 11 filing for one of the various news sources. Audacy filed for Chapter 11

Reading about this brought back more memories of my days back in radio. Some of the details brought memories flooding back. Obviously, i had some friends and acquaintances at Entercom in Norfolk. I listened to a lot of programming out of WW1/CBS in DC. I actually pursued a job at WRVA in probably about 1999.

I don’t remember much about that. Richmond was really nasty in 1999. I don’t recall whether they didn’t make an offer, or if I turned it down. While WRVA seemed like a better fit for me than where I was at the time, I wasn’t thrilled with the prospect of driving from the 804 from Bad Newz several days a week.

Obviously, I’d end up doing that later, but for significantly more money.

My distaste for Richmond stems from my time in Ashland, and some of the stupid stuff that’s come from there in the intervening years.

I really don’t think that I made a mistake by not going for what. But that was the first time when I really felt underpaid. I think I was making seven bucks an hour. And going to school.

But I think about the decisions to stay where I was, and stay in school. And finish a Science degree. Even if my alma mater still makes people say, “huh?”

I would tell my dad that he was right about some of those things, but, well….

Saints didn’t make the playoffs, but they looked good the last few games. Too little, too late, but they’re right where they should be to make big strides next year. See: this year’s Lions. But, of course, they could fall had.

I watched the College Football game last night. Jim Harbaugh has bothered me for a long time I was rooting for Michigan. Of course, President Ford played there, so…..

I was working through with my college football friend. I’m a double-legacy at Southern LandmassMississippi. My recently-mentioned alma mater is Division III, and didn’t have football until my final ywar there.

College football isn’t something I’ve really followed.

My wife follows Georgia, and has since before she attended a D1 school. They only went D1 towards the end of her time there.

But I was kind of rooting for Georgia for her benefit. Lewis Grizzard would write about Georgia football.

So. Whatever. You want to follow a big college football program, that’s as good as any, I guess.

I used to run Virginia and Virginia A&MTech games on the radio back in the day. But really not so much my thing. The game, too, really doesn’t even resemble the pro game anymore. And this is why you see guys like Josh Allen coming out of football powerhouses like Wyoming.

But I guess the reason I was slightly interested in the game was that the game this year wasn’t with an SEC or ACC participant.

Um.

I went to bed about five minutes into to the second half. The first quarter was kind of entertaining, but it really wasn’t holding my interest.

Congratulations to Michigan, I guess?

The fight sing repetition reminds me of a band instructor I had in high school who’d gone there.

We practiced that song so much.

Along with On Wisconsin for some reason.

Speaking of music…..

Random aside — she opened for Liz Phair at the show I saw back in November. The show didn’t sound great where I was sitting, but I heard a few things that made me go look her up on Apple Music later. Then I saw that President Obama put one of her tracks in her Top Songs of 2023 list. Listen a few more times, and, yeah, there’s things that stick in my scarred brain. Salad by Blondeshell.

Going to post this to FB, but I can almost guarantee nobody will read this, or listen to the song above. shrug*

Ende

More than half the day finished here on the right coast.

I would say that 2023 has been a bit less-eve3ntful than the few before it.

Going month-by-month would be difficult.

Generally, though, the first half of the year was really unsettled; I didn’t know what was going to happen going forward.

I ended up heading to see my mother in March, as my grandfather was worried about her after a few trips to the hospital.

Message the Fantasy Football league where I finished dead last. Aaron Rodgers’s injury on the first drive of the damn season kinda iced it for me very early.

Oh well.

Work, after half the year being in doubt, has been incredibly stressful before December. I’ve checked out a bit the second-half of the month since the HR geniuses stole the equity (read: unused leave) I’d bargained for when I took the gig. Whatever.

Time to figure out what to do for the first bit of the year. Dreading the MRI results in a few weeks.

At the same time, whatever. I’ve done the things I need to do to get us in a good place.

Time to take a break?

But I’m really never going to do that as long as I can type.

This is what I do. Even if I don’t get paid. (And if you’ve been on the Intertubes as long as I have, you’d understand that a .org is for non-commercial endeavors…)

In Spite of Myself

I have a bit of work left do to pay my EBG!# protection racket. (Hint)

I hate it. Nearly every second.

But I got a few things out of it so far, I suppose. The audit tools available in modern Linux systems are kinda neat. I will think, however, that a Defense-In-Depth strategy is more effective, but I guess I get it.

I do still think it’s absolutely criminal that I have to pay hundreds of dollars for the privilege of continuing to work.

What.

Still trying to figure out how to align newer software development methodologies with Infosec procedures.

It’s worse in DoD, where often silly old guides have been grafted onto NIST standards.

I’m hungry; I should probably go eat something. All I’ve had today was a scone with my coffee.