Existential Anger as a Service @darrenpmeyer@infosec.exchange

I think BunsenLabs Lithium might turn into my favorite Debian-derived distro. The out-of-the-box Openbox setup is not terribly far off of what I’d do anyway, and I like the balance of minimalism (very little cruft preinstalled, tiny footprint) vs utility (drivers and media format support and other “nice experience” stuff install by default) in the default config

I’ve been using it to stand up quick VMs here and there and I’m considering making it my default. My only grouse is no ARM

The Metaverse as envisioned by "Meta" nee Facebook is just Geocities for VR. Change my mind.

I understand the value of opinionated design, but so often the opinion seems to be "power users can eat shit"

It should not be this annoying and expensive to sync a folder on a local Linux machine to a cloud provider with zero knowledge encryption in place

I'm going to end up frankensteining a solution, aren't I?

Now I just need to figure out how to take PTO that isn't mostly working on projects around my house. Sigh. One thing at a time.

Taking my own advice and taking a couple of days of actual PTO where I will not be checking my email or Slack

It's good to have a team that will support me doing that, both the team I lead and the team I'm on

Also? Y'all, I've had some bad managers in my life but _holy shit_ some of these stories make me think a psych eval should be required for anyone who's tapped to lead people

A pair of things I did not expect when I made the move to management:

- when you answer the 'what do you do' question with "I manage a team", *everyone* has a story to tell you
- none of the stories are about decent managers. Most are about jaw-droppingly awful ones, and a few about amazing ones

I hope to someday be the manager people tell the "amazing manager" stories about

Y'all need to learn to use RACI charts properly

They're a tool mainly to help you think through what roles do what things for a list of activities. If you use them correctly, you get documentation for free, but the documentation isn't the point – that's just icing

Had to fast for a procedure this morning, so afterwards my lovely wife took me for coffee and A. CHURRO. DONUT.

Advice for choosing strong passwords: don't

A strong password needs to be unpredictable. Humans suck at being deliberately unpredictable.

Humans also suck at remembering random things. A password manager that does strongly-random generation, along with 2FA are your best bets. If you have to have a *memorable* password, generate a random passphrase using something like diceware

Interesting range of responses, from "0-day is zero days since exploit (using the vuln burns the 0-day, and it's not a 0-day anymore)" to "0-day is zero days of prior disclosure to vendor before release" to "0-day is zero days of fix/patch availability"

I "grew up with" the strictest of those — a 0-day is something no one but the attacker is aware of; once it's out, it maybe WAS a 0-day but isn't anymore

Current debate: what qualifies a vuln as "0-day"? After hearing someone use it in a way that surprised me, I asked 3 others and got 4 new answers, so…

What's your definition of "0-day"?

Boosts for wide sampling appreciated

You don't need that kind of risk methodology in most cases. In fact, I'd argue that it will usually do more harm than good. What you need isn't usually to quantify your risk, it's:

• identify your security priorities

• have a sound, defensible business case for your security spending

The actuarial definition of risk (an annualised expectation of loss that's single loss amount • annual frequency) is a bit of an albatross around the neck of most infosec practice

Very few orgs are going to have the data or discipline to even use it, so they make guesses. Guesses create (sometimes extreme) bias, while the air of "using a formula" hides those biases