I think BunsenLabs Lithium might turn into my favorite Debian-derived distro. The out-of-the-box Openbox setup is not terribly far off of what I’d do anyway, and I like the balance of minimalism (very little cruft preinstalled, tiny footprint) vs utility (drivers and media format support and other “nice experience” stuff install by default) in the default config
I’ve been using it to stand up quick VMs here and there and I’m considering making it my default. My only grouse is no ARM
"Some said an open-world experience this immersive wasn’t possible. But it’s already here. And you don’t even need silly VR headsets. Introducing, ✨ Icelandverse✨"
Now I just need to figure out how to take PTO that isn't mostly working on projects around my house. Sigh. One thing at a time.
Also? Y'all, I've had some bad managers in my life but _holy shit_ some of these stories make me think a psych eval should be required for anyone who's tapped to lead people
A pair of things I did not expect when I made the move to management:
- when you answer the 'what do you do' question with "I manage a team", *everyone* has a story to tell you
- none of the stories are about decent managers. Most are about jaw-droppingly awful ones, and a few about amazing ones
I hope to someday be the manager people tell the "amazing manager" stories about
Advice for choosing strong passwords: don't
A strong password needs to be unpredictable. Humans suck at being deliberately unpredictable.
Humans also suck at remembering random things. A password manager that does strongly-random generation, along with 2FA are your best bets. If you have to have a *memorable* password, generate a random passphrase using something like diceware
Interesting range of responses, from "0-day is zero days since exploit (using the vuln burns the 0-day, and it's not a 0-day anymore)" to "0-day is zero days of prior disclosure to vendor before release" to "0-day is zero days of fix/patch availability"
I "grew up with" the strictest of those — a 0-day is something no one but the attacker is aware of; once it's out, it maybe WAS a 0-day but isn't anymore
You don't need that kind of risk methodology in most cases. In fact, I'd argue that it will usually do more harm than good. What you need isn't usually to quantify your risk, it's:
• identify your security priorities
• have a sound, defensible business case for your security spending
The actuarial definition of risk (an annualised expectation of loss that's single loss amount • annual frequency) is a bit of an albatross around the neck of most infosec practice
Very few orgs are going to have the data or discipline to even use it, so they make guesses. Guesses create (sometimes extreme) bias, while the air of "using a formula" hides those biases
Application Security @ CrowdStrike ; but opinions are mine. Part-time coffee and Arduino nerd.
A Mastodon instance for info/cyber security-minded people.