soleblaze

@soleblaze@infosec.exchange

My day job involves #HPC, #LLM and #kubernetes #security. Current personal projects revolve around AI/Machine Learning/LLMs.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

A security/crypto meta-topic for my sanity:

  1. In any context where it could possibly matter, cryptographic deniability doesn't hold any weight.

  2. Any party trusted with delivering OS updates can (be coerced to) compromise that device/app.

  3. The actual utility of properties like forward secrecy in a world with (2) depend on contorting adversaries into unrealistic shapes.

  4. While useful, many have too much faith in honor-system security ("self-destructing messages" / "no screenshot flags")

soleblaze,

@sarahjamielewis a lot of it comes down to trust and who you put your trust in. Turtles all the way down and all that. And I agree with your statements. If your adversaries capabilities includes being attacked through updates to trusted software then you're pretty much screwed.

Think the "I got hacked, now what" exercise takes too much of a back burner to "I can be secure if I patch all known vulnerabilities and use all this trust". Both are needed, but you need a playbook for when shit hits the fan.

There's also the fun of playing spy vs living it and how much more difficult it is if your privacy/security actually matters to the point it'll get you killed. And I'm not sure "my stuff is encrypted and has expiration" is the best use of time/energy in those situations.

lcamtuf, to random

deleted_by_author

    •
    soleblaze,

    @lcamtuf would be an interesting experiment to watch. Look forward to the documentary in 10 years!

    briankrebs, to random

    Why does Apple Music continue to suck at suggesting music I might actually want to listen to? Maybe I have enabled some setting to make it obtuse, but it has to know by now what I listen to and what I never even bother with, and yet every time I launch the app it's just tons of whatever is most popular right now. Am I alone in this experience?

    soleblaze,

    @briankrebs what bugs me the most is that Mog had really good “random song” radio features, including the ability to set how often you wanted to hear a specific artist vs related artists in their artist radio… and mog turned into Apple Music.

    tqbf, to random

    OK, my kids (both adults) haven't seen Gremlins, and I haven't since I was like 12, but I am still confident that is the second most important Xmas movie. Could suck! Could transcend! Will report how this goes.

    soleblaze,

    @ryanc @tqbf man, I haven’t seen that movie since I was a kid and don’t remember any of that! I’m going to have to watch this.

    soleblaze, to random

    Make your hobby/passion your job and you’ll never have a vacation again.

    mjg59, to random
    @mjg59@nondeterministic.computer avatar

    Today I got to tell my students that in the bad old days we used to write scripts that just SSHed into every machine and ran sed on config files but today we had puppet and I regret to inform you that based on their facial expressions we apparently still write scripts that just SSH into every machine and run sed on config files

    soleblaze,

    @mjg59 ah yes. The good old days when I nuked everyone's fstab file by putting '>' instead of '>>' in a script. Luckily I was able to reconstruct all of them with mtab.. after I calmed down.

    mjg59, to random
    @mjg59@nondeterministic.computer avatar

    Anyone out there at GitHub: could you please add support for adding an SSH CA key to a repo and then enforcing that commits be signed with a certificate signed by that CA? This is already supported in git, and would let orgs just upload their CA and enforce signatures without needing to manage keys for individual users.

    soleblaze,

    @mjg59 I have commit signing enforcement on my list and so far it looks like all the solutions are various degrees of awful.

    kellogh, to random
    @kellogh@hachyderm.io avatar

    when you use code reviews as a quality gate, it reduces bugs by reducing the throughput of the team. there’s not many cases where that’s actually what you want. typically you want to look for other quality controls

    soleblaze,

    @kellogh are you including peer reviews, such as pair programming or PR approvals in that list or are you talking about larger, manual processes?

    soleblaze,

    @kellogh ah. It's difficult for me to argue that light weight peer review processes don't provide an increase in quality. However, it's so context dependant on whether they provide enough to be worth it. Having a "quality bar" is a difficult, fuzzy problem and most places I've worked wouldn't be able to measure their output to even know where they're at in relation to what they hope to achieve.. or even know what the bar is.

    soleblaze,

    @kellogh yeah, that's awful. That's a sure fire way to kill quality and everything else

    lcamtuf, (edited ) to random

    I spent more than 25 years in tech. If you asked me for advice today, I’d open with a warning: don’t let a corporate job, no matter how great, become your whole identity.

    My view isn’t rooted in resentment or anti-capitalism. I am immensely grateful for my career, I’ve always taken pride in my work, and I strived to do it well. My point is different: losing an argument in the office shouldn’t feel like an attack on your entire self.

    The allure of getting lost in work comes in part from the mythos of Big Tech: the idea that we’re changing the world every day, even if it the bulk of corporate life is just grind. The grind is important but it has no end; in ten years, nobody will remember or care about the all-nighters we put in to refactor some code, flesh out a policy, or nail an OKR.

    It doesn’t help that many tech companies recruit fresh out of college and ask people to move hundreds or thousands of miles. This severs our social connections and forces us to rebuild them around the workplace. When doing so, it can be difficult to draw clear lines.

    I’m not arguing for nihilism or mediocrity. But by the end of the day, your corporate employer is not your family. The pastel-colored interiors, the board games, the lounge chairs conceal an uncomfortable truth: the company will not hesitate to fire you if you bring the wrong “whole self” to work, if they lose interest in your project, or if they need to send a specific message in the quarterly report. You might have a caring manager or wonderful colleagues, but your work identity is just a row in someone else's spreadsheet.

    My advice is simple. Be ambitious, but find ways to disconnect every now and then. Save some of that true passion for hobbies, family, and friends.

    Edit: also posted at https://lcamtuf.substack.com/p/on-corporate-life

    soleblaze,

    @lcamtuf how often do you see people tying their identity to work accomplishments vs the tech they use/the areas they're knowledgeable in general?

    soleblaze,

    @lcamtuf ah, I get your point now. Yeah, not a good look for a person in that situation. Plus the whole mental toll it takes.

    GossiTheDog, to random
    @GossiTheDog@cyberplace.social avatar

    deleted_by_author

    •
    soleblaze,

    @GossiTheDog yeah but the ones who left should have stayed and the ones who stayed were the ones we wanted to get rid of! The whole passive aggressive nature of this stupid management game is wearing thin.

    kellogh, to OpenAI
    @kellogh@hachyderm.io avatar

    every time drops the prices, i wonder if they actually made the model more efficient or if they’re just aggressively capturing the market

    soleblaze,

    @kellogh it's interesting hearing the rumors of how much it costs to run vs how much they charge and then seeing pricing drops. Guessing like a lot of things the truth is somewhere in between.

    thefreehunter, to Starfield

    It’s kind of telling how few people I hear talking about . I don’t hate it, but I’m not really loving it either. It’s… fine.

    soleblaze,

    @thefreehunter it's Bethesda in space! Most of their games feel the same. I couldn't get into it and the horrible maps didn't help.

    soleblaze,

    @thefreehunter yeah. I didn't get too far into fallout 4 either. I did put a ton of hours into 3 and new Vegas.

    I find lately I don't want to deal with story. I want something straight forward and a bit grindy. Pretty much only play metroidvanias and rogue-lites these days.

    foone, to random
    @foone@digipres.club avatar

    My car was beeping at me because my "passenger" wasn't buckled in.

    Said passenger is simply two hard drives. But sure, I guess I should put their seat belt on!

    soleblaze,

    @foone those would be a good illustration for talking about data wiping. "Unless your drive looks like this don't bother with more than a single pass of zeros".

    glennf, to random
    @glennf@twit.social avatar

    “On the Internet, nobody knows you’re a dog”: That cartoon’s original sold for $175,000 a few weeks ago! Peter Steiner, its artist, is a very interesting chap himself (his novels are quite good), and when he drew it in 1993, he didn’t really know what the Internet was. https://www.ha.com/heritage-auctions-press-releases-and-news/new-yorker-s-most-reprinted-cartoon-sells-for-175-000-at-heritage-to-become-world-s-most-valuable-single-panel-cartoon.s?releaseId=4817

    I wrote a New York Times article in 2000 about its appeal, which never tapered. https://www.nytimes.com/2000/12/14/technology/cartoon-captures-spirit-of-the-internet.html and a 20th annivesary follow up in The Magazine in 2013: https://the-magazine.org/21/everybody-knows-you-re-a-dog/

    It’s 30 years old!

    soleblaze,

    @glennf I'm surprised it didn't go for more with how iconic it is.

    kellogh, to random
    @kellogh@hachyderm.io avatar

    protip: if you have trouble changing Git branches and frequently work multiple things at once, just checkout lots of copies of the repo

    e.g.

    • feature-dev/
    • escalations/
    • things-mike-makes-me-do/
    soleblaze,

    @kellogh ever try git worktrees? https://git-scm.com/docs/git-worktree

    soleblaze,

    @kellogh More having it in the same repo and moving around. Honestly, I'm not too sure if there's much of a difference..maybe easier to push changes to multiple branches at the same time and move them around, but I'm not sure how likely that scenario day to day.

    I don't normally need to do multiple branches at the same time, but I do normally do the multiple clone thing as well.

    nedbat, to python
    @nedbat@hachyderm.io avatar

    If I could change one thing about education, it would be to change every example of for i in ... to something more meaningful (for number in ...) so that people would stop writing things like for i in employees:

    soleblaze,

    @nedbat @kellogh I like how go does it. The further the variable declaration is from its use the more descriptive you want the variable to be. For i is fine if you’re using it immediately after. If it’s 5-10 lines down then you give it a more descriptive name.

    Viss, to random
    @Viss@mastodon.social avatar

    more proof marryng yourself to only caring about cves and the garbage tire fire that is the infosec vuln taxonomy landscape is just going to make your hair fall out and your organs stop working.

    almost everythingon this list is "people not giving a shit" or "making typos and architectural mistakes"

    soleblaze,

    @Viss @darkuncle @catsalad I'm not saying that doesn't happen. I'm saying that it's generally not because that person decided to go into work and do it that way. It's a lot more complicated than that and if you replaced that person with someone else I doubt the outcome would change. You can't fix the problem by attacking the symptoms. Unless all you need is a scape goat.

    soleblaze,

    @Viss @darkuncle @catsalad Could be many reasons why that person did that. ofc, that sounds more like a management issue, which ties back into the why didn't anyone notice it vs the it was the failure of that specific person that was in charge of that actor because they are intentionally bad at their job. And yes, there are outliers that will lie and cheat and steal. However, there aren't enough of those outliers to be the reason why these top 10 lists never change.

    so yeah, if you deal with any kind of incident response or remediations.. I think the book will be interesting to you, either as a 'this makes a lot of sense' or ‘this is bs and gives me a good topic to rant about'.

    soleblaze,

    @Viss @darkuncle @catsalad I'm sorry, that's not what I was intending. I do believe what you said happens. I should keep my responses more generalized and not bring in your specific issues to use as examples.

    I'll boil my point down to something simple. We don't have these top 10 lists that don't change and decades of the same issues that never get resolved due to "bad eggs who can't do their jobs”. Getting rid of them wouldn't move the needle, as they'd get replaced by others that would get put into the same situations with similar outcomes. Everyone has their reasons.

    soleblaze,

    @Viss @darkuncle @catsalad Not sure if mastodons "edit button" is good or bad.. re-read my last reply and had to edit it because the original piece didn't come out the way I wanted.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • anitta
  • thenastyranch
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • ngwrru68w68
  • megavids
  • magazineikmin
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • provamag3
  • tester
  • Leos
  • JUstTest
  • All magazines
    •