Posts by mmccul 153 publicly visible posts • joined 10 Sep 2017
The real concern I have is all the embedded mongodb instances that are part of various other applications. Sometimes you know about them, sometimes, it's hard to realize that under the hood is a mongodb instance that exposes the service on a non-standard (to you) port.
I've been moving rapidly from blocking based on user agent strings to blocking based on behavior. If a given source engages in abusive behavior, including hitting too many sites, I have no concerns blocking them.
I also have no qualms blocking larger ranges of sources for increasing lengths of time if they misbehave.
In other words, if your robots.txt sets a crawl delay and someone doesn't follow it, block them, their neighbor, and their little dog too. Someone appears to be crawling a disallowed area? Block them. You don't care if it's a human or not, someone is not playing nice, so ban them for a week or four.
No, I'm not in a position where I'm significantly hurt if a search engine can't find a specific page of mine.
I really couldn't care about desktop Linux. I care about the server side. What is going to happen there, or am I going to lose Ubuntu as a viable server alternative? There are critical applications I run that Ubuntu is the most supportable OS choice (RHEL and Rocky are not supported).
I feel that a lot of the changes discussed really are focused so desktop based that they forget that there is a whole group that runs Ubuntu as a server, paying for support directly from Canonical.
Considering how many managers have taken a view that they own: my health[1], my time out of work[2], my creative output outside of work[3]; I find it of no surprise that the RTO mandate is pushed. After all, few things reinforce the ownership of a company over a worker than sitting in an office, looked over by the manager.
Saying workers can guess the stated reason doesn't mean they agree with it.
[1] Managers have consistently pushed people to come to the office when they know those people are contagious and there are others with serious health problems in the office
[2] Managers trying to require not just 40 hours, but 45 or more as "expectation of a knowledge worker". To the point that nine hours a day, working, is expected by many managers (in addition to any off-hours work for changes or incidents, with no comp time for that extra time)
[3] Despite pre-declaring ownership of creative material, I've seen more than one company attempt to claim they somehow owned works and material created before I ever worked for them, just because I continued creating, having filled out the disclosure forms that it was a "prior invention"
I've looked into passkeys a fair amount, and the more I dug in, the more cynical I've gotten. It's proof of control as a single factor authenticator. There is no second factor in most implementations.
Yes, some implementations require a PIN to activate a given credential, but that is rare (and didn't permit non-numeric PINs in the implementation I was seeing). I also see very few implementations that are implementing protections to prevent the private key from being extracted or copied elsewhere.
There's a certain irony that in the era of multi-factor authentication, we are seeing so much push for a single factor authenticator.
For any system I run today, I need the ability to run certain tooling, such as an EDR (yes, including on servers). Unfortunately, support for the *BSDs is quite lacking. Yes, there are longstanding feature requests to add support, but the movement has been away from the BSDs, not toward them.
Broiling is direct application (i.e., not heating a cooking surface) of heat from above the food, typically about a third of a foot away. Generally, broiling has a way to have juices or grease move away from the food.
Grilling is direct application of heat from below the food. Sometimes, people will grill using something like cast iron with the ridges so that the food doesn't lie flat on the cooking surface, but the heat radiated from the cast iron gives a similar effect.
Yes, you could call broiling upside down grilling, but since the heat is from above, there is often less risk of the food falling through the grill and being lost.
I was impacted by CrowdStroke and had a very uncomfortable few days assisting (in my limited way) on the recovery. I wasn't servicedesk, facing long lines of irate user with broken laptops, trying the then latest recovery strategy and hoping it works the first time, but I was certainly working on it.
I read the preliminary incident report and the final. Frankly, I'd rather deal with a company that is willing to say "We messed up, here's how we're going to do better" than a company that hasn't admitted they've messed up. I feel Crowdstrike has admitted their mistake and explained reasonably how they intend to improve -- at a level a technical person can follow.
Once upon a time, in interviews, I asked people to describe a major mistake made by their team (didn't have to be them), what happened and how it was dealt with. I thought it was a nice way to swap war stories, get a bit of a feel of how the candidate approached nightmare problems. The one answer I didn't accept? Someone who insisted major mistakes didn't happen with proper planning. The interview effectively ended on that question. A business that takes a similar attitude isn't one I want, because that means when (not if) they make a major mistake, they won't admit it, won't improve, just hide it.
I spent ten years as a security consultant. One of my jobs was to interview candidates. Time after time, I was sent "senior security analysts", "SOC analysts", "Security Engineers", even "Security Architects" as candidates to interview.
Time after time, I indicated "Do not recommend, needs remedial training."
Not every time, but often enough that it became something of a joke. I had recruiters listen in on my interviews only to realize, if anything, I was understating the problems. I started writing direct quotes from the candidate into my writeup to explain "We can't use this person."
I've provided trainings, mentored individuals, and otherwise encouraged the career of others into the field. It is a constant problem to find people who are up to the level of "know they know nothing".
Telling people to get into the field isn't very useful if we aren't sent people who are worth the cost of the chair they sit in.
At work, I often set my status to how many cups (well, 10oz mugs) of tea I've had thus far that day, as an indicator of how stressful the day has been. People are okay at 2-3, get nervous at 4-5, start to panic anywhere above that. They also get nervous if I hit 4 cups by the 09:30 team check-in call.
And for the record, single estate black tea from Sri Lanka or a small tuo cha (about 5-6g) of pu-erh, depending on my mood.
I was on the other side of such a situation. I was the customer.
Major OS upgrade of a HP-UX server. As the clueful customer who had sysadmin background, I asked for three days to do the OS upgrade. HP professional support told me I was ridiculous, it'd be done in 4 hours, maximum. We convened everyone, including the lead "sysadmin" (who actually had no sysadmin background, but I was helpfully training because they were a good problem solver and learned well) to do the upgrade -- only to find out we had a known bad version and we had to abort before we began. The next chance we had was the next week Thursday at noon...
The sysadmin was a professional organist and was playing at a wedding that Saturday, even if they didn't have a job the following Monday. We get together, confirm we have the good OS disks (I think these were DVDs, but I could be off, it was 2-4 disks total). Computer hangs on boot after upgrade. No recovery.
Professional services looks at it, shrugs and says "Wow, we've never seen that before. Good luck with that, good bye!"
We pull out our HP Ignite image we carefully took right before we started, against Professional Service's advice, rebuild the system from that, verify it works right and start figuring out how to recover.
Friday afternoon, the sysadmin flies home on their flight, we haven't figured out how to solve the problem. The sysadmin's boss called another person and said "Here is a one-way ticket to $CITY. You are there to represent the sysadmin team." The person had no sysadmin background, didn't know a lick of HP-UX (or even any close enough Unix to be useful), but they were there and not allowed to leave until the problem was solved.
Meanwhile the application vendor's tech rep and myself (in theory just an application admin) are doing all the technical work of figuring out what could be the problem, what to try next. I'm briefing VP level leadership every four hours on our progress, or lack thereof, so everyone knows exactly how bad the situation is.
Saturday night, 60 hours into our upgrade effort, working 20 hour days, we found the source of the problem -- from the first line tech support at HP. None of the second or third liners knew the problem, but this first line tech support person rattled the solution off immediately, and it fit perfectly the symptoms. We kicked that off and 12 hours later, we had the OS upgraded, the application updated to use the new OS and everything working fine. I'm told the poor sysadmin with the one-way ticket actually did get a ticket home before Tuesday.
Total time start to finish: 72 hours. Exactly the three days I said I wanted for the change.
A little unfortunate that no links were provided to ICANN of the actual results. The only thing I was able to find myself was a note that the comment period was closed and that the recommendation would be forwarded to the ICANN board for further consideration, which would imply it isn't final.
Or is there another link that's a little harder to find?
By far the worst offender for me are a few websites I need to go to for professional reasons where I am presented a login screen to login. I do so. After I successfully login, then it requires me to fill out one of those visual captchas.
Yes. After a successful login.
To be technical, more of concern is that under NIST SP800-63b 5.1.6.1: "Single-factor cryptographic software authenticators SHOULD discourage and SHALL NOT facilitate the cloning of the secret key onto multiple devices." Apple and Google not only do not discourage, they facilitate cloning the secret key (which is all a passkey is) onto multiple devices. It is unclear how Microsoft behaves. I've seen conflicting information there.
The actual referenced definition of AI in the bill is 15 USC 9401:
The term "artificial intelligence" means a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations or decisions influencing real or virtual environments. Artificial intelligence systems use machine and human-based inputs to-
(A) perceive real and virtual environments;
(B) abstract such perceptions into models through analysis in an automated manner; and
(C) use model inference to formulate options for information or action.
From my perspective, almost every bit of code I work with meets that definition. From your spam filter to your image editor (e.g. identify which photos have faces in them, "smart" editing brushes, automatic exposure adjustment) to even your automatic lights that turn off if you're too still for too long. I see it as too broad a definition, by far.
Really, RHEL 7 (and CentOS 7) hit EO (full) SL in 2019. That's when Red Hat stopped promising to create fixes that Red Hat deemed less than what security teams call "crits and highs". Sounds not too horrible, but there are exploits that can get access to your system that officially are only a "moderate". Red Hat is who decides what gets a fix, not you.
A few months ago, a few security issues went around that Red Hat said were outside support scope, but we were required to fix immediately because of the security (and compliance) impact.
Now, Red Hat uses the term "End of Full Support" (which hit on 2024-05-31 for RHEL 8). The description Red Hat gives for what they provide on the ESL license shouldn't inspire anyone with confidence, especially when you read between the lines: Support will not delete the documentation or the patches, and if something seems super-critical and they can't pretend otherwise, they'll provide a fix. Other than that? Good luck, you shoulda upgraded before 2019. (I remember when CSRs were more honest. They'd admit they'd just delay your ticket for two weeks, do no work on it, then say they can't reproduce it, then close the ticket.)
So, really, it's a bit disingenuous to claim the ESL truly "extends support". It extends the maintenance support, mostly, but you shouldn't be counting on that for a production (or development) system.
While the CISO is a manager, they need to understand the needs of security. The risk analysis questions that CISOs face are unique compared to other C*O managers. They cannot just rely on their deputy CISO to provide that risk analysis.
Why does that matter? Knowing the details of infosec allows the CISO to understand which efforts to prioritize inside their division, which initiatives are likely to be a more effective use of funds.
SMEs provide expertise in their specific area, but are not the persons to balance competing efforts from their own department.
As someone who used to read the Onion when they specifically covered Madison, Wisconsin (and remembers the story of Van Vleck (where the math department was housed at UWisc) being pushed over by drunken students (it makes more sense if you see the building)), I'm glad that the Onion is being kept around, at least in some form.
I felt they lost something when they went national, but they kept coming out with bits here and there that showed some of the same biting wit found in the Onion when they were local-only.
Amongst the things I miss? The craziest, most inane police reports of them all. (The line at the time was it was the only thing in the Onion that was accurate).
As for ads, even back then as a pure physical paper publication, it had some rather *interesting* ads.
When the CEO gets 23% and makes so much more than everyone else, it jumps the average employee compensation up. A lot.
(There's a reason arithmetic mean isn't very useful for most things people use it for).
What would be more useful is the median increase of employee wages at each of the various pay bands.
Having worked remotely since the 1990s, except for a few year stint pre-COVID in the office, I can say I learned more from "random conversations" as a remote worker than in-person. I hold conference call sessions left and right with various teams, and being remote means I actually talk to people from departments I'd never talk to in-person -- because we wouldn't be using the social channels of the various chat tools.
In person/office? No one talks to anyone, even inside your department, unless there is no other choice.
Already exists for many ransomware gangs. It's under the laws banning providing any funding for or doing business with embargoed organizations, countries, etc. Not all of them, of course, but enough of them are operating from an embargoed country, or have been directly linked to supporting terrorism that existing laws make it very risky to pay out blindly.
For Kindle (app on a tablet in my case), I use it for a few things. First, it's a very small physical form factor, which for me is important. I purchased the Kindle Unlimited subscription to get access to a lot of books that will never get into a library. They aren't literary masterpieces, but they entertain me. Second, I want the physical form factor a tablet brings that I can read at night without the use of a light. I want the ability to push the font size up to triple the size I usually read at, not rely on external magnifying prisms that are clumsy at best.
I also read enough to justify the cost of Unlimited (Yes, more than 100 books a year from it, this year I'm closing in on about 125 books read this year from Unlimited, many of those books are advertised at the $2-$4 mark for purchase, and I'd never read most of these books again.)
For me, music is what I go back to again and again. I purchased a rather large physical CD collection over many years. Eventually, I ripped those CDs myself to digital format. Some music I purchased digitally out of laziness, but then I found a music seller that sells nearly DRM free versions reasonably (It clearly indicates the online store I purchased the file from in the comments), which encourages both my laziness and my desire to have full control.
I still regularly listen to tracks from the very first CD I ever owned (no, I won't admit what it was). Music I purchased roughly thirty years ago remains high on my list of favorites. My collection of Haydn's music alone is literally days worth of unique music (I don't mean multiple versions of the same song, Haydn just wrote that much). Some of the music is difficult to find.
So, for music, I'm picky. I have two versions of Mozart's Requiem Mass in D minor that exhibit why I'm so picky and won't accept streaming very clearly. To someone not attuned to the genre, it's the same music, but I very heavily prefer one rendition over the other version. (And that doesn't get into the difference between Yo Yo Ma doing the Prelude of Bach's first Cello Sonata versus the Piano Guys rendition of the same, completely different songs using the same score.)
What really is clear from reading the actual SEC release on their charges is that the charges rely heavily on supposed warnings by a single individual. That creates the question, was the individual who issued the warnings a known worrywort, with a reputation for overstating risks and demanding disproportionate security for the analyzed risk? Just because they were right this time doesn't mean that a reasonable person, at the time, would have viewed the warnings by that person as realistic or appropriate.
I raise this point because I've been at shops where someone tried to demand completely disproportionate security to the threat profile, which would have exceeded the entire IT budget to address. I've also seen cases where risks were claimed in order to justify "security" tools that actually created more risk for the organization (I'm sure you know the kind I mean).
I expect we'll see a lot of expert witnesses arguing that not only were the warnings commensurate to the known threat profile at the time, but that they were willfully ignored rather than postponed due to other legitimate priorities.
Many shops I've gone (as a consultant), the "CISO" was actually doing the work of a security team lead, thinking they had a technical role in addition to a direct supervisory role over technical staff. Very few shops was the CISO given actual authority over building a strategy for the security program, the ability to craft a budget to execute that strategy.
Some of it was CISOs who refused to admit they were no longer in a technical role, but a managerial one. Other times, it was their own manager wouldn't give them the authority they needed to do their job. I've worked with CISOs who knew they were not a security analyst, not a security manager, or even director of security, but a CISO. It was very different in experience. I wonder, how many of these "CISOs" were doing the job of a CISO, how many were doing the job of a security team lead?
Isn't that the case for oh so many contracts awarded to the lowest bidder, not just in federal space, but anything IT?
(Speaking as someone who worked for many years for a contracting firm that didn't try to be the lowest bidder. Sometimes the joke was we were who you called after you fired the lowest bidder.)
A lot of confusion exists thinking that the facial recognition is 1. sufficient, 2. part of authentication. Neither is true.
The announcement states that facial recognition is being added to the acceptable list of biometric methods that is used to establish the identity. That's prior to issuing the authenticator to the individual. None of this has anything to do with authentication, it's all about identity proofing.
When you actually look at the rules for IAL2 (like I've done for far too many hours at a time), you realize that the biometric factors is one of many things involved in establishing the identity. Take out facial recognition for a moment. Instead, look at the problem this way. You are doing something sensitive, so you go to an office, present your picture ID and are fingerprinted. The fingerprint collection (the most common form of biometrics used for IAL2 and IAL3) is not just "do you have a criminal record", it's part of the overall process of establishing who you are. The fingerprints (or facial recognition in this case) help as part of the verification of the evidence presented, just like when one presents an ID, there are features checked to ensure it is a valid ID (e.g. a hologram being present on many US IDs).
Fiber cable coating typically carries a metal wrapping. When trying to locate a cable, the procedure is to apply a low voltage current of a selected frequency to it at one of the access points (e.g. a manhole, utility shed), then use effectively a metal detector aimed at the exact right frequency. The "line locate and protect" job also carries equipment that allows one to determine how deep the cable is.
Is the job faster with a map? Not really. Those maps are often off by half a mile or more.
(Yes, I had to be trained for line locate and protect once many years ago.)
On the one hand, it's bad if Microsoft (or any vendor) downplays legitimate vulnerabilities, but on the other hand, I've seen plenty of cases where "vulnerability researchers" glory-hound and try to attract attention by verbally attacking the organizations that the "researchers" claim have vulnerabilities for not moving fast enough.
Tenable isn't exactly on my good list for respectable behavior or quality vulnerability detection or analysis. I deal with far too many cases on a regularly basis of hilariously bad detection logic, invented vulnerabilities (without even a CVE or CVSS score but are "high severity") with the software to trust their research completely. That back history I have causes me to be less willing to trust them than many other vendors.
Microsoft, as a vendor, has plenty of motive to downplay or belittle the vulnerability report. While the Microsoft of today is nothing like the Microsoft of fifteen years ago, there is still some inherent distrust I have of them.
And no, I'm not willing to presume that the truth is "in the middle", because that just encourages one side to lurch dangerously to an extreme, arguing that the truth "must be in the middle" when they defined the middle by their extreme position.
I just did a comparison of a few fonts. Calibri, Times New Roman, Bierstadt, Bierstadt Display and Roboto. I used the same text and 12pt size
Interestingly, Bierstadt was the widest of the fonts, with Calibri being the narrowest. None of the fonts passed the capital o vs zero test of being able to readily identify which it is without them being next to each other in a case where either would make sense.
Bierstadt and Bierstadt Display's lower case L was awkward and the tail bled into the next letter, especially apparent when the next letter was vertical as well.
None of the sans serif fonts knew how to differentiate a pipe character | from others except making the pipe a bit longer than the capital i.
Roboto "appears" to be the largest visually. Bierstadt Display and Calibri were easily the two smallest. I could not readily decide which of the two was smaller.
Times New Roman, despite being on the smaller side for apparent height, had the largest apparent spacing between words, causing (for me) the least bleeding of words into each other. The difference may not be real, but it looked that way to me.
Obviously, everyone has different preferences, mine tend to wider spacing between letters and words to make each letter easier to distinguish, as well as a more distinct visual display between each letter, but none of the "chunkiness" I find in some fonts.
My testing was similar to an eye doctor saying "is this larger/clearer, or is this one?" Looking at two lines first one, then the other, reading the whole text as well as examining selected letters commonly hard to distinguish.
I've always felt Microsoft defaulted to a font a touch too small. Every time, I've increased it to 12pt and found the size much more accessible to me. Over the years, I've found that people took the "12pt" default, clearly thought px == pt (they aren't) and set all web fonts to 12px, which is generally 9pt.
My main use of stylus has been to fix websites to force minimum font sizes of 12pt in everything. I'm also hardly alone in desiring reasonable standard sizes. If we could get away from the era of shrinking letters, that'd be nice. The only good news? Most people seem to agree that 4pt fonts are too small. (I remember a time when T&Cs were often printed below 6pt in size on websites and on paper, even when there was no space reason to suggest such except to discourage reading.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2026
