Author: sean

Skeptical Sunday

Finishing up Things Fell Apart Season 2. I understand where he’s going with it, but I guess I see a bit of a middle way with it?

Okay, there’s overreactions, certainly.

At the same time, if you’re writing something, and you portray yourself as a “thought leader,” you have to assume that there’s some gravitas that goes along with that.

If you don’t know, or wouldn’t ever do those things, you shut the fuck up.

If you can’t help yourself, you have to repeatedly add disclaimers in and around what you say.

Maybe it’s even more important when you’re with a governmental, or quasi-governmental body.

My reaction to so many of these things lately, especially when people are calling for untested policy prescriptions, is you’ve decided you’re not going to try to convince me to do what you think would be best. You’ve snitched. You’ve called the cops. Down to the point where the cop shoots me, I want you to speak through the sequence of events.

Taking things to the bitter end state makes people really uncomfortable.

But it can eventually help. Okay, Ms. Real Estate agent, you’ve scored this house for me in a teaser interest rate. What happens eighteen months from now when I can’t make the payments after the rate’s reset?

I’m sorry I made you do math. I know you didn’t do well on that in school. To be honest, neither did I, but I got enough of it to buy a Science degree.

Of course, you don’t focus on worst-case scenario when you’re trying to make the sale. But it there’s a catastrophic result as a possibility, you have to lay that out, show mitigations against it, and show its likelihood.

*yawn*

I’m gonna go take a nap.

Late On Saturday

So it really doesn’t matter.

Work is incredibly trying at this point. Really trying to not get too caught up in asshole behavior, or, to needle the HR mafia, the equity that’s been stolen from me with new policies.

Just pace it along in with the family stuff that’s going on nearly a thousand miles away.

Kind of distracted on this Championship weekend. Only two games tomorrow. 1500, and 1830 Eastern.

Also tracking the stuff on the AI-generated photos of Taylor Swift.

So the solution is to snitch, call the cops? What can government do to fix the issue?

NOTHING

Except kill people and break stuff.

Should Daffy have killed Bugs for this?

What’s the difference?

The thing about seeing someone naked in an intimate way is different than just seeing a fake representation of someone engaged in whatever while namked.

Was I disappointed by the photos of a forty-something Belinda Carlisle in Playbo No. Were they representative of what she’d be on a routine day? Doubtful.

The chances of me actually ever seeing her naked in person are still exactly the same — zero.

B.C. did the shoot of herself willingly, and got paid for it. But let’s say she didn’t. How would throwing people in prison make the situation better?

For football tomorrow, I had this thought:

Just bouncing around ideas. There’s certainly better food in San Francisco and Ballimore, but those were what first came to mind.

Saturday Stuggle Session

Yes, I’m tapping the HR creatures’ favorite thing. Had some interesting discussions about it the comments ยง after one of the latest BARPod episodes.

Coming to realize that a lot of the discussion(s) surrounding what’s happening in newsrooms is that these young staffers are young people with severe cases of affluenza. They went to top-tier schools, probably many via legacy admissions policies

They work, often in concert with the similarly-backgrounded HR staff, to wreak absolute havoc.

All I do is refuse to participate.

And not consume any of their content. But I’m going to be pretty quiet about it.

Cannot concentrate. Resisting more coffee.

Following orthopedical procedures for a family member.

Turned Out The Shmoo

Wrap up in a sense.

My legs really weren’t working well yesterday morning, so forewent the talks, and just guzzled coffee (and this very strange gluten-free cranberry-orange muffin) in seating area up front. Telmnstr found a few people he knows, and Squidly1 floated in for a few minutes.

It was fluttering snow…and, as I said, I wasn’t working well physically (and I’m still not a day later), so I cancelled my short-bus ride, and grabbed a ride back to my perch inside the Beltway Swamp

We watched the couple of final things, including the closing from the sofa in the living room. My wife, who was just my girlfriend when she accompanied me to some of the early conferences, seemed to be mildly interested.

But after next January, they’re finished. Maybe someone will work up a replacement. Maybe not. Six of one, half-dozen of the other.

I am planning to go to the final. The trip is a nice respite for me, but there’s often things that leave me just shaking my damn head, sloshing around my already-scarred brain.

I’ve been really digging into heterodoxy lately. There’s certain things you’re supposed to believe, and do but few people really ever quantify whether these things are effective.

But towards the end of the closing, they gave prizes for the lock-picking competitions.

It’s kind of fitting accompaniment to this thing’s tagline. No security measure is unbreakable. That allows you to delete anything, and everything.

So you spread things around so you can reconstruct later if you want or need to.

Listening to this on and off as I write. This kinda plays into part of what I was doing at the hotel, and with the conference. Just pay the bits to grease the wheels, make your experience easier. I bet I could have navigated my suitcase to and drom the hotel room.

But I didn’t.

Why?

Because one, my body was rebelling against the strain I was putting on it, and two, paying the fee really isn’t a concern for me, but it might make the day of the recipient. What I paid to save me the pain of doing this, cost me less than fifteen minutes of my work labor.

Just pay it, and move on with your life.

That kind of relates to the Finding Freedom podcast ep. I appreciate what the guest is doing building a different social media app.

Great.

A lot of those really bad companiesTM make their money off scanning and selling your information.

Got it.

Pay ’em, and they stop doing that.

I apologize for getting really distracted here.

Shmoocon is, and was a lot of fun. I will do what I need to do to go to the last one next year.

Probably even if they make me wear a face diaper.

Shmoocon #7

I watched the last ones in “Belay It” on the stream from the hotel room. My legs just didn’t want to walk anymore.

Nothing particularly notable, unfortunately. Maybe it was general MS bleh killing my interest. Maybe it was the random hotel network dropouts.

Did make it down to try and watch the trivia contest. I didn’t;t have a pen to participate, and I couldn’t;t see the questios=ns to try to answer them.

We went to the bar for desert and more drinks. Good conversation, at least. Reminiscing about conventions of the past, and discussions of plans for the last one next year.

I think I’ll miss Shmoocon, but the whole experience is completely different for me than it was in the early days when I was coming up from Tidewater.

I have to wonder how much the mandatory masking is killing session attendances. Who knows?

Shmoocon #4

Watched this one. Well, the presentation section. They were in the Q&A at least, maybe.

I have the vaguest understanding of what he had done, and was trying to do, with regards to taking control of systems with a rogue keyboard.

Fascinating stuff to be sure, but I keep having this thing pop through my head about likelihood.

Yeah, you can do this stuff, but what’s the LOE, and what’s the probability somebody actually would do it?

When you have physical proximity to a system, can you do it within the access window?

I guess I really considered likelihood when I was younger.

I guess I did some when doing hardware integration, but for something like what was covered in the session, none of this is at all likely to happen.

As I’ve written before, cars and cooking are too-often captured metaphors, but it’s the first thing that came to mind; I’m sure you could manufacture a tire with a bulletproof sidewall, But why would you? It’s going to be heavy, and more expensive than most people whold be willing to pay for a tire.

Coming back to the keyboard, what are the chances someone would be in proximity to your PC or phone long enough to get in?

The vendors are rolling out patches that eliminate the vulnerability the speaker used. It’s a very simple fix. To a problem most people will never experience. That doesn’t mean it shouldn’t be fixed, of course, but why lose sleep over it??

Shmoo #2

Watching this about FEDRamp.

Off-the-cuff notes:

There’s a bot on Discord that searches for FIPS, and replies “FIPS is stupid.”

DoD has a strange ix of FIPS and old AF DoD controls

You should be using KMS.

Tenable now does have now have FEDRamp auth for scans.

Focus on identity control and change management.

You do inherit some things from Azure or AWS, but it doesn’t fix everything. It does make documentation package simpler.

Advicee is to use FEDRAmp mod over ____ (for small biz). It helps some, but very few products can actually use it. Tailored? Taylor’d?

Still not clear how POA&Ms can be aggregated.

If you’re in planning, use Rev5 for new things. Other Rev4 can stick for a while, but don’t do anything new.

Push to actually make one-stop shop.

LOE for POA&Msmis very, very, very high.

OMB has solicited comments on IT regulations, related the initial guidance on FEDRampl

Question about using LetsEncrypt certs on FEDRamp. (And you’re reading on a site sekur3d by LE..)

I do kind of understand what they’re trying to do, but I have kind of an automatic repusion towards it.

The idea of sending out really not-even-beta-leval solutions really just bothers the hell out of me.

zOMGSEKUREREST bits, showing that things are good is one thing…but you should have to show that A) the product sorta kinda works in the lab first, and B) scans of that sorta kinda working product happened before you plugged it in to the fucking Internets.

Too much of what I’ve seen lately fail on both of those questions.

But we’re moving way faster than before…IN AGILE SPRINTS….putting out things that probably don’t work as intended, and have quesitonable security.

But, like, it costs a bunch moar, so it must be good.

Shmoo #3

Ewe Can’t Truss You’re Ears.

Speaker from Totes-didn’t-used-to-do-evil company.

Focus on helping those of us who can’t see very well, or at all.

Lots of discussion of masking things in unicode to try to lure people into visiting bad sites.

I think there might be potential for doing things like confidence intervals, and requirements surrounding the levels required for browsing/redirection. So, the speech to text hit on a potentially-malicious return. The speech-to-text might think it’s 100% confident that that’s what the user wanted.

But you look at the actual amount of traffic to that site, you can say, no, that weird unicode look-alike isn’t what the user was trying to get to.

Were you trying to get to Google, gee-ooh-ooh-gee-ell-eee-dot-com? If yes, hit, “go.” If not, hit “stop.”

For my own stuff, I’m teetering on the edge of legal-blindness. I think last check, I was something like 20/70 in my right (and previously non-dominant) eye, and uncorrectable to 20/400 in my left. I still can type, but some of the predictive things of things like SMS on my iPhone are very beneficial to me.

If I’m not sure, I use a search engine (rarely the totes-didn’t-used-to-do-evil one the speaker worked for….I would say that I’m mostly DDG, with some Bing, and a smattering of Brave), and try to get to the best result.

I do see well enough to do that. But even if I didn’t, I still think there’d be a good way to answer a series of binary questions to get me to where I actually wanted to go.

Shmoo 1

Walked in to this a few minutes late.

The speaker is trying to do some ninjafu on name server setups.

I’ve written far more than anyone ever should about NS setup.

You can easily get back some real garbage on answers.

Feeding it all over TCP/HTTPS won’t fix it.

I think I understand what he’s trying to do with the tool he wrote.

At the same time, I’m not 100% sure I get the point.

You occasionally get bad stuff from NSes.

I don’t know….make sure your shit gives good answers?

If it’s a case where somebody outside is getting bad information from your domain’s servers, feed the problem to things like dynamic firewalls so no traffic comes.

So. you wanna go to footer.com. Their NS responses are suss. No, you can’t visit.

Like sex in the champagne room….

Death Rattles

Muted by the mandatory masks?

I’m here. They announced that next year is the last one.

Kind of have a room to myself for a bit; my roommate, my old biz partner, is running late.

So. Checked in. Going to go watch some of the interesting first-day talks.

Not sure what I think so far, honestly. Some back-and-forth among the assimilate waiting to check in. While the people I was talking to weren’t from a long way away, it was far enough to really justify a hotel room. Since I’ve been up here in DC, I haven’t tried to do the stay-at-home, and see the talks model. While Im inside the Beltway, it just seems like it’d be tedious taking a cab, or riding Metro.

Time to get downstairs….