Honeypot.net logo Honeypot.net

The coffee shop is fine

I hear too many acquaintances worry that employees might work from a coffee shop or other public network, putting their whole company at risk. So what if they do? The idea that a coffee shop’s Wi-Fi is insecure implies that there’s a mythical “secure” network that can be trusted with the company’s secrets. That’s almost never true.

Work-from-home employees are on a tame home Wi-Fi setup, right? Don’t count on it. Is their gear current? Are they sharing Wi-Fi with their neighbors? Are they using their apartment building’s network? Who’s their ISP? Although their home setup might – or might not – have fewer people on it than the local cafe’s, that doesn’t make it trustworthy.

What about the employees we coerced into returning to a legacy office and using its Wi-Fi? Oh. You mean that named network that sits around with a target on its back as belonging to important people? Unless you manage your own office, and it’s in a Faraday cage blocking all outbound or inbound radio signals, and you pretend that MAC filtering is a security feature, and all your equipment is patched with the latest security updates, and you have guards walking around with fox hunt antennas to spot rogue access points, it’s not substantially better in the ways that count. If you can read this at work, at least a few of those assumptions are likely wrong.

The idea of a “trusted network” is dead. It’s time we stop pretending. If an employee can be compromised at the coffee shop, they can be compromised at the office. We have to design our defenses as though our staff are working from the free network at DEF CON. That means making sure all employee devices and servers are patched. That all connections are encrypted, even those between internal systems. That authentication uses cryptography, not passwords. That we don’t pretend that “route all traffic” VPNs are a good idea. That we don’t rely on allowlisted IPs as a critical defense. That we don’t trust any network our employees might use, and that our systems are robust enough to endure hostile environments. Yes, even the ones we tell ourselves are safe.

And if we’re not comfortable with our coworkers typing away next to a fresh latte, it’s our responsibility to figure out what part of that bothers us and then fix it. The issues that would make that scenario dangerous affect the “secure” office, too.

I found a odd control in AWS Security Hub’s CIS Benchmark 3 findings. It reports “IAM Access Analyzer external access analyzer should be enabled”, even if it is enabled in another account with organization-wide scope. Support’s advice is to disable the control.

Fine. It seems like an edge case, although maybe a common one for orgs with multiple accounts. I’m OK with silencing the false positive since we monitor that other account with its own CIS Benchmark 3 report.

We went to the local swap meet across the channel from the Port of Oakland. Photos don’t do justice to the enormousness of the container ships moored here daily.

A giant Hyundai container ship loaded with pink and orange and brown and other brightly colored containers in front of some giant cranes and a clear blue sky. It sits across a channel and some car roofs are in the foreground.

All household children deny knowledge of the situation, but I am skeptical.

A bag of frozen microwaveable burritos that has been open from both ends.The same bag with both ends rolled up and closed with bag clips.

Today I learned about Emacs’s table handling. Start with a mess:

| *Name* | *Type* | *Flavor* |
|--|--|--|
| Orange | Fruit | Orangeish |
| Water | Liquid | N/A |
| Pineapple | Armored fruit | Summer |

Run M-x table-recognize and press TAB. Now you have:

| *Name*    | *Type*        | *Flavor*  |
|-----------|---------------|-----------|
| Orange    | Fruit         | Orangeish |
| Water     | Liquid        | N/A       |
| Pineapple | Armored fruit | Summer    |

❤️

Literally every time I open the CA DMV digital drivers license app:

  1. “You need to refresh your license!” Fine.
  2. “To do that, you need to log back into the DMV website!” Alright.
  3. “Your password is expired. You need to update it!” Ugh, really, whatever.
  4. “System Unavailable”. throws phone

Every. Time. If I ever try to use this to board a flight, I’m so sorry for the people behind me in line that day.

If I bought this, “everyday" would mean “…for the rest of my life, and you’ll have to bury me in it.”

Picture of a normal-looking shirt: &10; &10;“Best everyday v-neck t-shirt &10; &10;$15,202 at its website &10; &10;Pros: &10; &10;+ Buttery soft fabric &10; &10;+ Has a hint of stretch to move freely &10; &10;Cons: &10; &10;x Not the most stylish pick” &10; &10;Not mentioned: &10; &10;+ Grants the ability to fly

Sometimes Rust makes me so happy. I wrote this over the weekend:

let embedded_data = include_bytes!("../static/data.bin");
let my_set: HashSet<&[u8]> = embedded_data[7..].chunks(10).collect();

It does this:

  1. Read a binary file and embed it in the final executable as an array of bytes.
  2. Create a HashSet (Python folks: a set() of items of a specific type) where each element is an array of bytes.
  3. Skip the first 7 bytes of the binary file using Python-like slice notation.
  4. Create an iterator that emits 10-byte portions of the rest of the file, one at a time.
  5. Collect all the values from that iterator into… oh!, a HashSet<&[u8]> because Rust can tell what the type of the target variable is, so why make me repeat myself?

Rust isn’t magic. Other languages can do similar things if you poke at them enough. It’s more that 2 lines of builtin Rust can readably implement a reasonably sophisticated set of operations that get compiled into a static executable. That’s a very pleasant combination of features.