I’ve given my kids Raspberry Pi desktops in their rooms. They’re 6 and 7 years old.

I’m still pretty torn about whether to leave this as a pure teaching opportunity, and not implement any parental controls beyond taking them away when they misbehave… or if I should lock them right down for their protection.

For the moment, I’m being an optimist. But formulating a response in case my optimism is misplaced.

We needed to pokes some holes for airflow in the 8GB Raspberry Pi 4’s case. My daughter picked a heart-shape, and now it reminds me of Deedee, from “Ara the Star Engineer”.

I doubt this will ever turn into anything I’d use in production, but the pursuit is fun and interesting.

The inspiration came from setting up a CI server that needs keys for GitHub. I thought it would be cool if it could have a stateless base image for auto-scaling, and use a managed service identity to call keyvault for SSH auth.

Show thread

Now that I’m over that hump, I can move on to the customized SSH Keychain that gives me interoperability with Azure.

Show thread

As a bit of an experiment, I’ve been working on an SSH Agent implementation in Go, that uses Azure Keyvault for signing.

Proof-of-concept phase still isn’t done, but I finally got over a bit of a bump in the road.

Go has an SSH Agent package built right it, but it takes an open connection as input. Setting up a socket listener and passing a connection to the library was easy. Writing a clean shutdown was much more complex.

I ended up using net/http’s Server as a guide.

My next software book will be “A Philosophy of Software Design” by John Ousterhout. It’s due to be delivered this week.

After reading mostly business leadership and management books last year, I decided to focus a little more on the actual construction of software this year.

Show thread

I’ve taken up “Thinking, Fast and Slow” by Daniel Kahneman again, while I wait for my next software book to arrive. I started reading it last year but found it slow going as it took a lot of brain power to process. It’s not so much the text itself that is hard to read, it’s that it leads you to re-evaluate your own biases, which can be very difficult.

Show thread

In 2019, I managed meet my goal to read an average of a book a month… despite finishing my first book in March.

I’m stretching that goal this year, going for 24 books in 2020. I started with “The Unicorn Project” by Gene Kim (completed in a week, thanks for 20 hours spent commuting to and from Microsoft Ignite in Toronto.

Alright, I tried this on Twitter and it failed, so let's see if it works here.

I'm looking for a to help me with EliteSec, specifically around marketing and lead gen. This is my first startup, but I'm not new to the culture, just running it. It's an consultancy but I'll admit that I've been a corporate shill for 20+ years now and I don't want that anymore.

Please boost for exposure.

I was looking at recovering my account, but it seems I need either the FileVault recovery key (protected by the system password which I apparently no longer have), or I need to log in as another user and reset with my Apple ID... but there’s no other users on the system, and with Full Disk Encryption I’d need the recovery key to add another one.

Show thread

On the bright side, this is why I threw myself under the bus for the MDM project initially. Only developer with 2 company Macs. Though I hadn’t planned for the need to re-pave my machine for this.

Show thread

I seem to have locked myself out of 1 of 2 company-issued macOS machines while setting up Intune-based MDM.

One of two things may have happened:
- it forced me to reset me length-over-complexity password. I might have mistyped the new password twice (I don’t think the is the case though, since I believe I logged in again after the reset), or...
- as an experiment, I clicked the “rotate filevault key” button in the intune portal, which failed

Could that failure present as an account lockout?

I remember seeing a tool around to open up the encrypted backup to get the codes from raw content. Not really worth the effort as long as the old phone still works.

Show thread

Interesting. Even with the encrypted backup, my Google Authenticator codes didn’t restore to my new phone.

Good thing I was half-expecting this, so I still have my old phone to work from while I migrate. I also have recovery codes for every service if it came to that.

How do you train for the technical aspects of IT incident response?

Diagnosing issues seems to be a mix of recognizing know patterns, and where that fails, methods of deduction.

Are there effective ways to teach these things without throwing someone into a real incident? If not, what’s the ideal balance between handing someone the solution, and allowing them to fail catastrophically?

After much more digging, I learned that they actually read-only mount the zip as the wwwroot directory with this subtly-divergent deploy technique.

This is actually kind of a cool optimization. It probably wouldn't be as much of a sharp edge if it wasn't so divergent, though. Would be nice if you could mix-and-match by allowing zip-deploy from URL without the read-only mount thing.

Show thread

If you’re wondering why I’d want to ship as a zip…

It allows me to write a terraform config or resource manager template and have the function app deployed and running without any intervention. Every other method needs follow-up manual work to configure.

Show thread

Playing with Azure Functions for an infrastructure automation thing today - weekend project stuff, not for work.

They cram so many features into app services infrastructure that it’s hard to sort out the specifics in the docs.

For example: you can deploy a nodejs function app with source control, and it will npm install for you. But if you ship your code as a zip and provide a URL, you have to package your dependencies with your code.

It’s documented, but it adds to the learning curve.

Is there a proper/formal term for the security permissions model where the creator of a resource has full permissions on it regardless of their access to the system at large?

Most common example I can think of is document or file systems.

Is there any good literature contrasting that to other models of permission?

Once you’ve got the generic interface adapted, it opens up a world of cool stuff, like using KeyVault keys for the root of a private Certificate Authority.

Show thread
Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.