Sep 12, 2024 ∞

The coffee shop is fine

I hear too many acquaintances worry that employees might work from a coffee shop or other public network, putting their whole company at risk. So what if they do? The idea that a coffee shop’s Wi-Fi is insecure implies that there’s a mythical “secure” network that can be trusted with the company’s secrets. That’s almost never true.

Work-from-home employees are on a tame home Wi-Fi setup, right? Don’t count on it. Is their gear current? Are they sharing Wi-Fi with their neighbors? Are they using their apartment building’s network? Who’s their ISP? Although their home setup might – or might not – have fewer people on it than the local cafe’s, that doesn’t make it trustworthy.

What about the employees we coerced into returning to a legacy office and using its Wi-Fi? Oh. You mean that named network that sits around with a target on its back as belonging to important people? Unless you manage your own office, and it’s in a Faraday cage blocking all outbound or inbound radio signals, and you pretend that MAC filtering is a security feature, and all your equipment is patched with the latest security updates, and you have guards walking around with fox hunt antennas to spot rogue access points, it’s not substantially better in the ways that count. If you can read this at work, at least a few of those assumptions are likely wrong.

The idea of a “trusted network” is dead. It’s time we stop pretending. If an employee can be compromised at the coffee shop, they can be compromised at the office. We have to design our defenses as though our staff are working from the free network at DEF CON. That means making sure all employee devices and servers are patched. That all connections are encrypted, even those between internal systems. That authentication uses cryptography, not passwords. That we don’t pretend that “route all traffic” VPNs are a good idea. That we don’t rely on allowlisted IPs as a critical defense. That we don’t trust any network our employees might use, and that our systems are robust enough to endure hostile environments. Yes, even the ones we tell ourselves are safe.

And if we’re not comfortable with our coworkers typing away next to a fresh latte, it’s our responsibility to figure out what part of that bothers us and then fix it. The issues that would make that scenario dangerous affect the “secure” office, too.

Sep 7, 2024 ∞

It’s an Aperol spritz kind of afternoon.

Two glasses are filled with dark orange liquid and topped with ice and orange slices. They’re sitting on a cutting board surrounded by more orange slices.

Sep 4, 2024 ∞

I found a odd control in AWS Security Hub’s CIS Benchmark 3 findings. It reports “IAM Access Analyzer external access analyzer should be enabled”, even if it is enabled in another account with organization-wide scope. Support’s advice is to disable the control.

Fine. It seems like an edge case, although maybe a common one for orgs with multiple accounts. I’m OK with silencing the false positive since we monitor that other account with its own CIS Benchmark 3 report.

Sep 1, 2024 ∞

We went to the local swap meet across the channel from the Port of Oakland. Photos don’t do justice to the enormousness of the container ships moored here daily.

A giant Hyundai container ship loaded with pink and orange and brown and other brightly colored containers in front of some giant cranes and a clear blue sky. It sits across a channel and some car roofs are in the foreground.

Aug 31, 2024 ∞

All household children deny knowledge of the situation, but I am skeptical.

A bag of frozen microwaveable burritos that has been open from both ends. The same bag with both ends rolled up and closed with bag clips.

Aug 29, 2024 ∞

Today I learned about Emacs’s table handling. Start with a mess:

| *Name* | *Type* | *Flavor* |
|--|--|--|
| Orange | Fruit | Orangeish |
| Water | Liquid | N/A |
| Pineapple | Armored fruit | Summer |

Run M-x table-recognize and press TAB. Now you have:

| *Name*    | *Type*        | *Flavor*  |
|-----------|---------------|-----------|
| Orange    | Fruit         | Orangeish |
| Water     | Liquid        | N/A       |
| Pineapple | Armored fruit | Summer    |

❤️

Aug 29, 2024 ∞

Literally every time I open the CA DMV digital drivers license app:

“You need to refresh your license!” Fine.
“To do that, you need to log back into the DMV website!” Alright.
“Your password is expired. You need to update it!” Ugh, really, whatever.
“System Unavailable”. throws phone

Every. Time. If I ever try to use this to board a flight, I’m so sorry for the people behind me in line that day.

Aug 26, 2024 ∞

Gigi is a happy mess.

A 3 lb Maltese dog sits between some pillows. She’s staring at the camera, fuzzy white fur, big black eyes and a pink tongue hanging out the side of her closed mouth.

Aug 25, 2024 ∞

If I bought this, “everyday" would mean “…for the rest of my life, and you’ll have to bury me in it.”

Picture of a normal-looking shirt:
&10;
&10;“Best everyday v-neck t-shirt
&10;
&10;$15,202 at its website
&10;
&10;Pros:
&10;
&10;+ Buttery soft fabric
&10;
&10;+ Has a hint of stretch to move freely
&10;
&10;Cons:
&10;
&10;x Not the most stylish pick”
&10;
&10;Not mentioned:
&10;
&10;+ Grants the ability to fly

Aug 22, 2024 ∞

Sometimes Rust makes me so happy. I wrote this over the weekend:

let embedded_data = include_bytes!("../static/data.bin");
let my_set: HashSet<&[u8]> = embedded_data[7..].chunks(10).collect();

It does this:

Read a binary file and embed it in the final executable as an array of bytes.
Create a HashSet (Python folks: a set() of items of a specific type) where each element is an array of bytes.
Skip the first 7 bytes of the binary file using Python-like slice notation.
Create an iterator that emits 10-byte portions of the rest of the file, one at a time.
Collect all the values from that iterator into… oh!, a HashSet<&[u8]> because Rust can tell what the type of the target variable is, so why make me repeat myself?

Rust isn’t magic. Other languages can do similar things if you poke at them enough. It’s more that 2 lines of builtin Rust can readably implement a reasonably sophisticated set of operations that get compiled into a static executable. That’s a very pleasant combination of features.

Aug 20, 2024 ∞

The hen is very curious about my lunch.

A black hen stands in the shadow of a back yard shelter. She’s watching very closely to make sure the diner isn’t up to shenanigans.

Aug 14, 2024 ∞

Today’s spam starts:

How are you doing? I’ve been following you on LinkedIn for a while now and wanted to reach out to say that I absolutely love your background. I have a Business Opportunity that I would like to discuss with you for mutual benefit.

That’s a new one for me.

Aug 14, 2024 ∞

My wife took a vow to put up with me 25 years ago today. Since then, she’s been my ride-or-die best friend through our many grand adventures. We didn’t always know how they’d work out. We’ve always gotten through them together. I know there’s nothing too big for us to face side by side.

Here’s to the next 25, my love, and all the others after that.

Aug 13, 2024 ∞

Project dream 1:

Toss and turn all night, thinking of a million things to be done, going in deep to solve some hard problems.
Wake up and remember none of that exists. Relax. Laugh.

Project dream 2:

Same as above.
Remember, oh yes it does.
Desperately make notes before it goes all Xanadu to your Coleridge.
Sit in a cold, panicked sweat for a little while.

It’s been a long week already, it’s Tuesday, and I haven’t even returned to work yet.

Aug 12, 2024 ∞

We survived Def Con. Barely. It was about as much fun as I’m physically able to tolerate in 1 week. Highlights:

Meeting many online friends and finding out they’re all delightful in person.
Seeing it all through my first-time-attendee wife’s eyes as we meandered through it all.
Coordinating, conspiring, and scheming face-to-face.
Being on the team taking 2nd-place in the EFF Tech Trivia contest.
Oh yeah, the parties.

We’re both happy, grinning, utterly exhausted, energized, and ready for next year.

Aug 9, 2024 ∞

Best Buy’s new anti-privacy practices are even more awful than before. They’ve lost any business I’d ever be sending them after this.

Do Not Sell My Personal Information&10;You're opting out of the "sale" of personal information.&10;Here's what you need to know:&10;• We can best honor this request if you are logged in to a Best Buy account.&10;• When you submit this request, we'll place a cookie on your browser to opt you out of the&10;"sale" of your personal information from BestBuy.com.&10;• This cookie will only take effect on this device, with this browser. If you visit BestBuy.com with a different device or browser, you will need to make the request again.&10;• If you use our mobile app, you'll need to activate the Do Not Sell function of the mobile app - your submission here won't impact the app.&10;• If you later delete or clear Best Buy's opt-out cookie, you'll need to submit a new opt-out request.&10;Send

Aug 8, 2024 ∞

Def Con badge acquired. Most of the way through the merch line; another 4 hours at most.

A roughly cat-shaped clear badge with electronics inside, displaying a Gameboy-style game. It’s glowing with bluish LEDs, except for the red left eye.

Aug 7, 2024 ∞

Hallway.

Aug 7, 2024 ∞

We made it to Vegas in 1 piece, ate a deliciously unhealthy lunch, checked in early (pro-tip: pay the $15 extra for a room upgrade if given the option), and set up the WiFi router that lets all our devices connect to the Internet at the same time without paying an arm and a leg every day.

It’s been a buy morning. Now we rest, re-caffeinate, and then hit the strip.

Aug 6, 2024 ∞

DEF CON is nearly upon us. Today we’re finishing our packing, checking into flights, finalizing plans to meet with friends, and twiddling our thumbs until it’s time to go to bed and wake up early.

Hope to see y’all there!