@mathfreedom You can still watch YouTube videos without fully submitting to Google's range of tracking through sites like invidio.us/ or applications like FreeTube: github.com/FreeTubeApp/FreeTub

I am failing at quitting Google mostly because everything interesting seems to be on YouTube.

Why do sunflowers use the Golden Ratio to define their seed arrangement? Good explanation:


#math #mathematics @science #STEM

My life would be a lot easier if I was less paranoid. I suffer from a great deal of anxiety.

In my experience: once you teach a developer how to properly fix a security vulnerability that they created and then have them fix it themselves, they will never again make that same mistake.

Show thread

I tend to assume that mature products eventually reach the point where they do not have basic vulnerabilities any more, but evidently that is not true. In this talk, Julien Vehent of Firefox talks about receiving bug bounty reports that include basic XSS attacks. He then reveals how Firefox is trying to address these with Test Driven Security, which sounds a bit like it was inspired by either a less strict version of Test Driven Development & Behavioral Driven Development youtube.com/watch?v=e2axToBYD6

@mathfreedom I used to work on Debian systems with a policy to use unattended-upgrade. It's a piece of software that upgrades system on a periodic basis. We were applying security patches immediately on testing environments and every week on production systems. We were under a regulation and had to apply security patches in 3 weeks and wouldn't have been able able to review all of them within this time. So we did checks, yes, but no full code review.

Free yourself of this illusion that your systems will ever be safe from a nation state attack by the country in which either yourself or your servers reside.

Show thread

Would you notice if an update contained malicious code? I don't know any system administrators that take the time to review the code of open source updates they roll out. Everything runs on trust and that trust can be a weakness.

Show thread

Of course, most companies I have worked with would never allow their servers to automatically update with no interaction due to the reliability concerns with doing so. The moment an automatic update took something down, the practice would go out the window for good.

Show thread

NSA TAO Chief on Disrupting Nation State Hackers - youtube.com/watch?v=bDJb8WOJYd

There is some advice in this talk that companies use systems that push automatic updates without interaction. I feel the need to point out that an automatic update could be malicious and that the NSA could demand that a company push such an update.

Given this, I would amend this talk to say that this advice mostly works if your company:
- Only uses products by US companies
- Is OK with the NSA having access to systems

"All of the things that I think make up the kind of observeability that makes it so that you can put software engineers on call and not feel like an asshole:
- well-instrumented
- high cardinality
- high dimensionality
- event-driven
- structured
- well-owned
- sampled
- tested in prod"
- Charity Majors

Has anyone tried using both and that can tell me if either are worth trying, or which one to use.

I'm starting over. I am switching away from Google, Apple, and Microsoft. I am slowly going to switch to free software. I have chosen Mastodon as the new social network I will use.

Infosec Exchange

A Mastodon instance for info/cyber security-minded people.