Shmoo #2

Watching this about FEDRamp.


Off-the-cuff notes:

There’s a bot on Discord that searches for FIPS, and replies “FIPS is stupid.”

DoD has a strange ix of FIPS and old AF DoD controls

You should be using KMS.

Tenable now does have now have FEDRamp auth for scans.

Focus on identity control and change management.

You do inherit some things from Azure or AWS, but it doesn’t fix everything. It does make documentation package simpler.

Advicee is to use FEDRAmp mod over ____ (for small biz). It helps some, but very few products can actually use it. Tailored? Taylor’d?

Still not clear how POA&Ms can be aggregated.

If you’re in planning, use Rev5 for new things. Other Rev4 can stick for a while, but don’t do anything new.

Push to actually make one-stop shop.

LOE for POA&Msmis very, very, very high.

OMB has solicited comments on IT regulations, related the initial guidance on FEDRampl

Question about using LetsEncrypt certs on FEDRamp. (And you’re reading on a site sekur3d by LE..)


I do kind of understand what they’re trying to do, but I have kind of an automatic repusion towards it.

The idea of sending out really not-even-beta-leval solutions really just bothers the hell out of me.

zOMGSEKUREREST bits, showing that things are good is one thing…but you should have to show that A) the product sorta kinda works in the lab first, and B) scans of that sorta kinda working product happened before you plugged it in to the fucking Internets.

Too much of what I’ve seen lately fail on both of those questions.

But we’re moving way faster than before…IN AGILE SPRINTS….putting out things that probably don’t work as intended, and have quesitonable security.

But, like, it costs a bunch moar, so it must be good.

Shmoo #3

Ewe Can’t Truss You’re Ears.

Speaker from Totes-didn’t-used-to-do-evil company.

Focus on helping those of us who can’t see very well, or at all.

Lots of discussion of masking things in unicode to try to lure people into visiting bad sites.

I think there might be potential for doing things like confidence intervals, and requirements surrounding the levels required for browsing/redirection. So, the speech to text hit on a potentially-malicious return. The speech-to-text might think it’s 100% confident that that’s what the user wanted.

But you look at the actual amount of traffic to that site, you can say, no, that weird unicode look-alike isn’t what the user was trying to get to.

Were you trying to get to Google, gee-ooh-ooh-gee-ell-eee-dot-com? If yes, hit, “go.” If not, hit “stop.”

For my own stuff, I’m teetering on the edge of legal-blindness. I think last check, I was something like 20/70 in my right (and previously non-dominant) eye, and uncorrectable to 20/400 in my left. I still can type, but some of the predictive things of things like SMS on my iPhone are very beneficial to me.

If I’m not sure, I use a search engine (rarely the totes-didn’t-used-to-do-evil one the speaker worked for….I would say that I’m mostly DDG, with some Bing, and a smattering of Brave), and try to get to the best result.

I do see well enough to do that. But even if I didn’t, I still think there’d be a good way to answer a series of binary questions to get me to where I actually wanted to go.

Shmoo 1

Walked in to this a few minutes late.

The speaker is trying to do some ninjafu on name server setups.

I’ve written far more than anyone ever should about NS setup.

You can easily get back some real garbage on answers.

Feeding it all over TCP/HTTPS won’t fix it.

I think I understand what he’s trying to do with the tool he wrote.

At the same time, I’m not 100% sure I get the point.

You occasionally get bad stuff from NSes.

I don’t know….make sure your shit gives good answers?

If it’s a case where somebody outside is getting bad information from your domain’s servers, feed the problem to things like dynamic firewalls so no traffic comes.

So. you wanna go to footer.com. Their NS responses are suss. No, you can’t visit.

Like sex in the champagne room….

Death Rattles

Muted by the mandatory masks?

I’m here. They announced that next year is the last one.

Kind of have a room to myself for a bit; my roommate, my old biz partner, is running late.

So. Checked in. Going to go watch some of the interesting first-day talks.

Not sure what I think so far, honestly. Some back-and-forth among the assimilate waiting to check in. While the people I was talking to weren’t from a long way away, it was far enough to really justify a hotel room. Since I’ve been up here in DC, I haven’t tried to do the stay-at-home, and see the talks model. While Im inside the Beltway, it just seems like it’d be tedious taking a cab, or riding Metro.

Time to get downstairs….

Move On

One of my various news sites I follow had something about a Chapter 11 filing for one of the various news sources. Audacy filed for Chapter 11

Reading about this brought back more memories of my days back in radio. Some of the details brought memories flooding back. Obviously, i had some friends and acquaintances at Entercom in Norfolk. I listened to a lot of programming out of WW1/CBS in DC. I actually pursued a job at WRVA in probably about 1999.

I don’t remember much about that. Richmond was really nasty in 1999. I don’t recall whether they didn’t make an offer, or if I turned it down. While WRVA seemed like a better fit for me than where I was at the time, I wasn’t thrilled with the prospect of driving from the 804 from Bad Newz several days a week.

Obviously, I’d end up doing that later, but for significantly more money.

My distaste for Richmond stems from my time in Ashland, and some of the stupid stuff that’s come from there in the intervening years.

I really don’t think that I made a mistake by not going for what. But that was the first time when I really felt underpaid. I think I was making seven bucks an hour. And going to school.

But I think about the decisions to stay where I was, and stay in school. And finish a Science degree. Even if my alma mater still makes people say, “huh?”

I would tell my dad that he was right about some of those things, but, well….

Saints didn’t make the playoffs, but they looked good the last few games. Too little, too late, but they’re right where they should be to make big strides next year. See: this year’s Lions. But, of course, they could fall had.

I watched the College Football game last night. Jim Harbaugh has bothered me for a long time I was rooting for Michigan. Of course, President Ford played there, so…..

I was working through with my college football friend. I’m a double-legacy at Southern LandmassMississippi. My recently-mentioned alma mater is Division III, and didn’t have football until my final ywar there.

College football isn’t something I’ve really followed.

My wife follows Georgia, and has since before she attended a D1 school. They only went D1 towards the end of her time there.

But I was kind of rooting for Georgia for her benefit. Lewis Grizzard would write about Georgia football.

So. Whatever. You want to follow a big college football program, that’s as good as any, I guess.

I used to run Virginia and Virginia A&MTech games on the radio back in the day. But really not so much my thing. The game, too, really doesn’t even resemble the pro game anymore. And this is why you see guys like Josh Allen coming out of football powerhouses like Wyoming.

But I guess the reason I was slightly interested in the game was that the game this year wasn’t with an SEC or ACC participant.

Um.

I went to bed about five minutes into to the second half. The first quarter was kind of entertaining, but it really wasn’t holding my interest.

Congratulations to Michigan, I guess?

The fight sing repetition reminds me of a band instructor I had in high school who’d gone there.

We practiced that song so much.

Along with On Wisconsin for some reason.

Speaking of music…..


Random aside — she opened for Liz Phair at the show I saw back in November. The show didn’t sound great where I was sitting, but I heard a few things that made me go look her up on Apple Music later. Then I saw that President Obama put one of her tracks in her Top Songs of 2023 list. Listen a few more times, and, yeah, there’s things that stick in my scarred brain. Salad by Blondeshell.


Going to post this to FB, but I can almost guarantee nobody will read this, or listen to the song above. shrug*

Ende

More than half the day finished here on the right coast.

I would say that 2023 has been a bit less-eve3ntful than the few before it.

Going month-by-month would be difficult.

Generally, though, the first half of the year was really unsettled; I didn’t know what was going to happen going forward.

I ended up heading to see my mother in March, as my grandfather was worried about her after a few trips to the hospital.

Message the Fantasy Football league where I finished dead last. Aaron Rodgers’s injury on the first drive of the damn season kinda iced it for me very early.

Oh well.

Work, after half the year being in doubt, has been incredibly stressful before December. I’ve checked out a bit the second-half of the month since the HR geniuses stole the equity (read: unused leave) I’d bargained for when I took the gig. Whatever.

Time to figure out what to do for the first bit of the year. Dreading the MRI results in a few weeks.

At the same time, whatever. I’ve done the things I need to do to get us in a good place.

Time to take a break?

But I’m really never going to do that as long as I can type.

This is what I do. Even if I don’t get paid. (And if you’ve been on the Intertubes as long as I have, you’d understand that a .org is for non-commercial endeavors…)

In Spite of Myself

I have a bit of work left do to pay my EBG!# protection racket. (Hint)

I hate it. Nearly every second.

But I got a few things out of it so far, I suppose. The audit tools available in modern Linux systems are kinda neat. I will think, however, that a Defense-In-Depth strategy is more effective, but I guess I get it.

I do still think it’s absolutely criminal that I have to pay hundreds of dollars for the privilege of continuing to work.

What.

Still trying to figure out how to align newer software development methodologies with Infosec procedures.

It’s worse in DoD, where often silly old guides have been grafted onto NIST standards.

I’m hungry; I should probably go eat something. All I’ve had today was a scone with my coffee.

Quitting

For All Mankind

I tried hard, but this discussion kept running through my head as I watched Ep. 1. While I was going to give it at least one episode, I just couldn’t.

The speech about Chicago 1968 finally prompted the stop.

But I could have done it before…

When Ted Kennedy cancelled his trip to Chappaquiddick to deal with the news that the Soviets had gotten there first.

Or when the controlling Navy wife was upset that her husband wasn’t going to go after drunkenly shooting his mouth off to a reporter, and the prospect of him going to Pax River or to Vietnam.

Or the fact that her name was “Karen.”

Yeah, I’m not wasting much more time.

I’m really bad at giving up on things that just aren’t working for me. See: my work history from 2013-2017.

Maybe I’m wrong, but I can’t bring myself to try on that anymore.

Maybe I’m progressing.

Twiddle Thumbs

Furiously preparing for Shmoocon. Um. I guess it’s kind of taking away from me trying to pay my protection racket that’ll let me keep working. Until my vision finally gives up the ghost.

I have until May. The goal is to basically finish this coming week.

And I’m not doing anything for the week between Christmas and New Year’s.

Except take my damned shot.

I was really worried about being late last month. I’m not sure if that was coming across in my writing.

Maybe that sort of thing gets lost in the November writing streaks.

Considering abandoning the November streaks after next year (year fifteen), but we’ll see. Really trying to commit to skipping what I’d been doing in the summer.

Had a pretty good conversation with my wife about the occupational licensing requirements that are pervading the business environment lately. Thou shalt pay union dues, and pay some group’s protection racket, even if you’re not gonna need a degree in MDDR. (It’s pretty lazy to say that every politician with whom you disagree is a Fascist while ignoring the kind Communist regimes from the last century. Many, many, many policies I see floated in Maryland would fit right in in East Germany. But we’re not going to talk about East Germany. Or Romania. Or any of the other nasty places from behind the “Iron Curtain.” Maybe I should make it a point to visit Victims of Communism Museum.)

I should make it a point to do that. I think going to the book signing, and the Liz Phair show was the sort of thing I was excited about moving up here.

We’ll see how the Shmoocon weekend goes. What do I take with me, what do I smuggle back?

Running Late

Didn’t get a Shmoocon ticket, but I think i might have a hookup.

If not, I’ll just take time, and watch online.

Still a little upset that they’re still on with the fu^H^Hmasks.

*wanders away and back*

Yeah, it looks like I’m going. Okay.

They haven’t released the schedule yet. I’m sure there’ll be something interesting.

Aside: the predictive text in the browser as I’m typing is really annoying. I miss the days when I could write my entries in EMACS.

Next week, I get to pay that IT organization’s protection racket. Something to do the week before Christmas. I do have to go in one day for work, but it’s fine.

I’m going to do a few things I enjoy.

Immediate thing is that it’ll give me a chance to write compulsively…which I’m not supposed to be doing.

Oh well.

So little motivation to do anything today.