I am using an iPad Pro with an Apple Keyboard/Trackpad. When I run the Discord client and try to enter text in the text entry field at the bottom of screen…

HOW AM I SUPPOSED TO SEE WHAT I AM TYPING?!?!? GET YOUR TEXT PREDICTION RIBBON OUT OF THE WAY!!!

What the hell? I AM USING A KEYBOARD DUMMIES!

How does something this simple get past Quality Control?

A simplification of a foundational concept of psychology is,

People change when it hurts bad enough

I also want to remind people of Hanlon’s razor

never attribute to malice that which is adequately explained by stupidity

With those two things in mind, let’s talk about freedom and responsibility. First we will separate freedom from license. Consider James Bond (007). He has a “license to kill.” So what is it that he has that is different from anyone else? He has the ability to terminate someone at his own discretion with no repercussion. Consider your license to drive. It gives you the ability to travel on motorways to the destination of your choice with no repercussion.

Obviously license is given to you by a licensing authority to have the ability to act without facing repercussion for the action for which you are licensed. There MAY be limiting factors AROUND the use of license (speed limit when using a motorway), but the fact you were using an automobile on a motorway is not a violation. WITHOUT license you are prohibited.

Freedom on the other hand is considered innate. It comes from “all persons being created equal…” (regardless of your position of a supernatural creation or a natural one). There is no licensing authority on a freedom. A freedom exists because you do.

So what about limitation? Are there limitations on freedoms? What happens when you walk into a movie theater and yell, “Fire!” And there isn’t one? You are exercising freedom of speech. People panic, run out out of the theater, some are trampled to death… but you have no responsibility right? That’s not your fault, right?

You take a loved one to the firing range. Both of you are there voluntarily shooting at targets, you turn and accidentally shoot them. There is no responsibility here for the injury or death because you were just exercising your freedom of, “keeping and bearing arms,” right?

My point is freedom is inseparable from responsibility. In some freedoms there is a responsibility to act (like voting). In some freedoms there is a responsibility to not act. In the separation of church and state clause you have a responsibility to not impede someone’s beliefs. However, is there a limitation to this?

Let’s look at the fourth amendment. This protects citizens against search and seizure? Is this protection against ALL search and seizure? No, it’s against unreasonable search and seizure.

Let’s go back to the first amendment. Are there limits to the freedoms there? Obviously yes. Defamation and slander to name two. What about the second amendment? Yes, there are limitations. You can not own a firearm if you are a felon or have a dishonorable discharge.

Two things are true. We accept limitations to freedoms and we accept that freedom comes with responsibility (freedom is not license). Why? Why do we accept this limitation? Because we understand the truism, “your freedoms end where mine begin,” AND the converse, “my freedoms end where yours begin.”

Where does this put vaccination? TLDR; get your shot, and STFU you coward. Expanded version? Regardless of your beliefs you do NOT have a right to imperil me or risk my life for the sake of your ignorance, cowardice, or convenience. Expanded further, just like I can’t walk in to a theater yelling, “Fire!” under the protection of freedom of speech, you CAN NOT skip out on getting the vaccine or mask mandates because of your belief (acceptance of claims without evidence) OR faith (acceptance of claims despite evidence) OR religion (the codification of belief and faith).

I’m tired of people demanding their inability to accept reality to play second fiddle to that which consistently comports to reality to the exclusion of all other possibilities (what we call evidence). No, I will not sit quietly while you demand the country go through another Dark Ages. No, I will NOT pretend that your belief, faith, or religion hold ANY validity regardless of HOW deeply held, while you cower behind it imperiling my wife and my children.

I’m calling out your beliefs of convenience that are more strongly based on the selfishness, narcissism, and egocentrism, of what you BELIEVE freedom to be, rather than what it is. Freedom is NOT an excuse for idiocy. Freedom is not an excuse for cowardice. Freedom is not an excuse for ignorance.

…Life, liberty, and the pursuit of happiness

That’s the Declaration of Independence speaking. It’s in THAT ORDER for a reason. You CAN NOT have pursuit of happiness WITHOUT liberty. THAT IS TRUE. But it is NOT the ONLY truth.

YOU CAN NOT HAVE LIBERTY WITHOUT LIFE! Dead people have no freedoms. THE REASON freedom is fought for and people die for it is BECAUSE there is no difference between slavery and death. Slaves have nothing to lose by fighting for freedom.

Don’t call me a sheep while you are taking animal medications pretending that it is a better solution. You’re the only one acting with the intelligence of a barn yard animal.

WHAT ABOUT MY BODILY AUTONOMY?!?!?! Why don’t you accept that argument from women needing an abortion? Since you won’t accept that argument from them, violating Doctor patient confidentiality, and inserting yourself in a decision that not only has nothing to do with you, it’s already been legally decided by the Supreme Court, I won’t accept your hypocrisy in using it.

BUT THEY’RE KILLING BABIES!!!!! So is your ignorance, idiocy, and cowardice in not getting vaccinated. So no, I don’t accept this argument.

IT’S JUST THE PHARMACEUTICAL INDUSTRY MAKING MONEY!!! Because they make MORE money from the public getting two vaccine shots than they do from hundreds of thousands of multi week stays in an ICU? But that’s just the beginning. Many ICU patients die and family gets to pay. Pay for medical bills and pay for funeral expenses. That’s DEFINITELY cheaper than two FREE shots, right?

And you have NO rational, reasonable, logical argument. “I don’t wanna,” is the realm of toddlers. And I don’t care if you don’t want to.

I know the next TRUMPeting of a conspiracy is going to be, “oh noes, all the conservatives are dead cuz freedom required them to not get vaccinated and now the dead can’t vote…” so what? MOAR GERRYMANDERING! NO, BETTER, require a 3/5’s compromise under “the vaccinated are slaves to reality and we in our enlightened religion aren’t slaves and slaves only count as 3/5’s of a vote…”

Stop acting like an ass… horse… whatever, this isn’t “Animal Farm,” stop being a coward, grow up, put on your big girl panties on (whatever gender you claim), and get vaccinated.

Signed — An Army Veteran

Edit “But what about people that can’t get it for medical reasons?”

You mean people that HAVE a rational, reasonable, logical reason NOT to get vaccinated?

I discovered somebody had filed for unemployment insurance using my identity. As a security professional I’m pretty cognizant of usernames/passwords, reuse, complexity, etc.

So I was curious how someone could have filed a claim in my stead.

First, they would go to cdle.colorado.gov., select returning claimants, then click on MyUIClaimant.

Next, when the website pops up, they select, “I forgot my username.” They populate the Email ID with an email address of a Colorado resident and…

Well, actually if they know scripting at all they could use a tool like burpsuite or CURL.

Anyway they populate the email ID and FOUR DIGIT social security number check with 0000. And then they have a computer script (trivial to put together) do the other 9999 possibilities. After a few seconds they have identified the UserID based on the email.

Then they take the email address they just used, with the last four digits of the SSN and do the same thing to get the password.

The attacker logs in to the account with the log in and password of the victim provided by the State of Colorado and changes the email address to one the attacker has access to. Then they force a change of PIN number to be sent through regular mail to the victim.

When the victim receives a PIN number they didn’t request in the mail goes to the Colorado State Website to have the virtual assistant help with changing the PIN number.. Several questions are asked. The victims SSN, their birthdate, their zip code.

And after the victim provides the Virtual Assistant all of this information to verify their identity…

The State of Colorado sends the new PIN number to the attackers email address instead of mailing a new one. The attacker can now access all of the victims personal information.

Thanks, Colorado. I appreciate you sending all MY personal information to…

I guess it doesn’t matter who you sent it to, not like you would know.

So what can I do about this? Nothing. Colorado’s unemployment office is so backed up, a human won’t interact with you on the phone. They are scheduling calls a month out. The system is so backed up it’s not scheduling more calls. Call the local police? The detective responsible for fraud investigation is on vacation. Call the state department of labor? They won’t answer the phone and it doesn’t go to voice mail.

So, here is how you will have your identity stolen if you live in the state of Colorado. I tried to provide this information to the State, but no one gives a damn. As a Colorado resident your personally identifiable information is of no concern to the state.

What if you built an NTP server in your Docker virtual network? You could set the server to communicate externally with NTP servers outside your host… or even set up your host as an NTP server for just your Docker network, then makes the containers clients?

To protesters demanding “their rights.”

When I was in the Army I learned the following:

Courage is the act of risking your life to protect the liberties of another.

Cowardice is the act of demanding liberties at the risk of another’s life.

Are you really surprised by that title? Let’s review the blunderous release and negative impact on ENTIRE GAMING RIGS for 5% more FPS…

I “pre-downloaded” Doom. Once it was installed my Steam client (because installing game without a company getting their hooks in your data isn’t a thing anymore) informed me that I’d be able to play this on the 19th of March. So, I tried all day. That was wrong.

Okay, the 20th hit. Oh look, I’m able to play. Well, that was the release date, so no harm done. I played for half an hour and liked what I saw. I have a 4K HDR monitor and an AMD 5700 graphics card. The rendering was glorious. I set the screen resolution to 2k and locked the FPS to 60. I was in heaven… hell…. Wherever I was supposed to be. I was SO THERE!

Then there was an update to Doom Friday evening. Wow, okay, let’s get that installed.

Once done, I hit play and…

“You need to update your Adrenalin drivers to 20.3.x” I can no longer play Doom because it demands that I use updated drivers.

Okay, I drop in the Adrenalin driver front end and an hour later..

1%

For a 400 meg file. It errored out because bandwidth was so constrained from the source… and of course it was. Everyone that was playing Doom with an AMD card was updating their drivers too…

So I jump over to the AMD website and try downloading the Adrenalin drivers. The whole package. It starts…

And informs me it’ll be two days.

I go to bed frustrated. I remember playing Doom on a 386. The day it came out. For hours… weeks… months… straight.

When I wake up in the morning I check the Adrenalin download. It errored out, because of course it had. So I restart the download.

Twenty mins later I have the drivers (6 a.m. Saturday morning). Now we’re in business…

Except that when I double tap the file Windows defender protects me from myself because why would I want to run an executable? I check a box and tell it to install anyway. Windows 10 then informs me “it’s not a Windows file.” Of course it is, I selected the Win10 download from the site, it’s an executable, and you tried to protect me from running you ignorant…

I try right clicking on the driver and install as Admin. Now Windows tells me it can’t find the file, though I can see it right there in file explorer.

Frustrated as hell at this point I go back to the Adrenalin drivers and tell them to update again. This time the update runs, and installs. Guess the driver can circumvent the Win10 bullshit. Thankfully the driver installs. Finally, I can play Doom.

I click Play and…

Let me translate this for you. I have been provided drivers that will give me 5% more FPS, something I don’t benefit from in ANY WAY because I locked the FPS at 60, in exchange for playing ANY games in HDR. This means I CAN’T play Star Wars Jedi:Fallen Order in HDR anymore.

Before the update everything worked great, after the update I have to give up EXPECTED FUNCTIONALITY.

To ID, to AMD, I say fuck you, you thoughtless imbeciles. WHY would you make a game REQUIRE me to update to buggy drivers that negatively impact MY ENTIRE GAMING EXPERIENCE? No a 5% boost in FPS is not worth LOOSING HDR. And the fact that I get to be a victim of that stupid, instead of chose what works best for me….

Part 2 of an infinite part series

“You realize I’ll have my certification in six weeks.” I’ve heard this before. When I worked as a technical trainer in InfoSec the manager of the school said that he had, “sat for the class for that certification.”

So?

Earning a certification is a starting point. It shows that you have at minimum a certain set of knowledge. It is not the ending point where you get to say, “gee, my certification grants me authority…” An argument from authority is still an argument from authority. And since it seems that it has to be said, no, sitting in a class for a certification is not the same as taking the test and passing.

Imagine for a moment you are about to make an appointment with a surgeon for routine surgery. Your choices are someone that is going to have their medical license in six weeks, someone that has “sat the classes,” or someone who’s been licensed for six years. I know who I’d go with.

The facts are that a test only shows what you know at a given time. The certification is a way of showing that you have in fact demonstrated MINIMUM competency. Too often it’s treated as though it demonstrates MAXIMUM competency. You’ll find articles that decry the value of (insert said certification here) as useful or valuable.

The reality is this. Your certification has the value you provide it. You either build on it, or let it turn fallow. A certification is not like a degree. A degree shows that you can jump through hoops to peoples satisfaction. A certification shows that you have knowledge. Sadly, degrees never expire. Certifications can expire if you don’t update your knowledge base with continuing education units.

It’s no wonder that certain certifications in my field count towards half a Masters Degree. The Masters Degree counts towards… nothing. But it sure looks good with all that alphabet after your name, doesn’t it? Don’t worry, I’ll have my Masters degree in a year… or two.

Next time we’ll complain about the Ford Edsel, and the lesson it taught that security ignores.

There are many graphics running around FaceBook at this time of year answering the question, “What’s the difference?” It seems there is much confusion around Memorial Day, Veterans Day, and Armed Forces Day. Why do we spend so many days of the year honoring the same people over and over?

There is a huge difference you will be told. “We have to understand that this is not that, and these are not those.” This is the rally cry of explanation, separation, and difference. So what is the difference really?

When I was 17 years old I had few prospects after high school. No one was rushing to send a person that “graduated” in the bottom ten percent of their class a college education. I knew no trade, and no one was willing to invest in me. I was white, I was male, and if I did not know what I was doing the day after graduation, I would be homeless.

Originally I thought I might join the Air Force. Then I met an Army recruiter and my thinking changed. I was guaranteed to be trained for a specific job. This meant I could select something that I could use in the civilian world. The Army would invest in training me into a trade, and I got to pick it.

After listening to the recruiters “sales pitch,” I thought. It seemed that everyone has a blank check when they get out of high school. I was being asked to sign my blank check, in its entirety, over to Uncle Sam. This blank check was for the value of a person, up to and including… their all. I could be called on to die. My parents reminded me, that this was my choice to make. I could choose not to sign over the blank check.

If you chose to sign over your blank check to college for a time, or to a trade school. Or over to waitressing, or being the person that fixed my car, thank you. I really mean that, it means a lot to me that when I needed my car fixed, or dinner, I had someone to count on. If you do your job well, and make it so that I don’t have to do it, trash person or journalist, thank you.

I chose to do with my blank check the thing I thought mattered most. I invested in every citizen of this country. The war monger and the pacifist. The CIS gendered and not. Men and women. The practical and the dreamer. I wanted to be part of the reason that they all had a chance. I wanted to protect everyone else’s right to choose for themselves, because of how important that choice is to me.

I wanted to ensure that everyone in this country had the same freedom I did, and do. I knew that to ensure that could happen, people like me needed to hand over a blank check. So, like many before me I did exactly that.

I received an honorable discharge on October 11th of 2000. While I was in the Army, friends died. I went to funerals. Thankfully there are still those in the military working to offer me, my wife, and daughters freedom. “Rough men stand ready to do violence on my behalf.”

What is the difference between them and me? “But for the grace of god there go I.” What this says is, I was not in control of what happened, and it is little more than luck that I can write this. Someone had to go, they drew the low card. At the end of the day, we had the same training, and I was not a “super soldier.” That could be me in eternal rest.

As for being in the military, my time came and went. I am an old fat man now. I rant about politics. Complain about policy. I have trained service members. I get to sleep at night.

So on Memorial Day, or Veterans Day, Armed Forces Day, or whatever day it is. If you look at the similarities these three groups have, instead of the difference, and walk up to one of us and say, “Thank you.” I’ll say “You’re welcome.” But I offer you this, the best way to say thank you to me, and any member of the armed forces living or dead, is to sleep well.

First, the CISSP is used as the defacto standard for senior level information security positions related to government work.

Counter the “old white security guy,” by having the OSCP too. The OSCP smacks of Millenial “I’m here, I expect an award,” so that will balance it out.

It’s also intersting that this argument is self defeating.

”Unfourtunately, a lot of people are afraid to speak the truth, to let their CISSP lapse because they feel it’s a risk.” 
and 
”Most shockingly on the latter is the fact that members can’t renew due to website issues and then incure hundreds of dollars of late penalties.”

So either people are renewing their CISSP’s (not letting them lapse) or they are not. I’m calling bullshit on your “late penalties” until you produce something that shows this exists. I’ve never known anyone to have a problem with registering CPE’s or paying the maintenance fee. You’d need more than one or two anecdotes to demonstrate there’s a problem here. And you just imply it, you don’t provide evidence.

I also call bullshit on, “I couldn’t afford the upkeep on my own.” CPE’s are literally free, they’re a time based thing. Write an article, teach a class, go to free classes (I’ve received CPE’s for going to Infragard meetings that cost NOTHING). And upkeep is barely more than $5 a month. What position did you leave at Microsoft, janitorial?

You’ve never heard anyone say, “I like this candidate but they aren’t certified?” Well, that’s because they didn’t make it to the table. EVERY HR system I’ve interacted with over the past two decades uses screening terms in your resume. If they expect a CISSP, and you don’t mention the title on your resume, your resume is ignored and you don’t get the interview. People that aren’t interviewed don’t end up being talked about.

Every position I’ve had in the Denver Tech Center over the past decade was because of experience and certifications (including the CISSP).

If you want to talk about what needs to be done away with, the requirement for college degrees is a better place to start. Oh wait, the big companies are already doing that (Apple, Google, IBM). So if not a degree or a certification to provide evidence of a qualification, what then? Your promise that you are qualified?

I’m not afraid to speak the truth. I can’t tell you the number of candidates I’ve caught in phone interviews googling their answers (and how funny it was that I could take their answer, put it in google and find the page they got it from). There HAS to be some standard. The CISSP is meant to be a minimum standard. A way to show that a candidate has minimum qualifications.

You let your CISSP lapse and didn’t spend $2000. Good for you. I’ve not, and I’m well over a million dollars in the black over the almost ten years I’ve had mine. I’ll take my million dollars over your $2000 any day.

I am an Army veteran. I enjoy shooting. I have a CCP (Concealed Carry Permit). I average a trip to the range every week. While there I spend a minimum of one hour using a firearm doing drills like drawing from a holster and shooting, picking up a firearm from a flat surface (table) and shooting, and shooting with my off hand. That means I spend a minimum of 52 hours a year training with my firearm. I average one firearms class per month (average length, one day). It’s even documented.

Dave Grossi is a retired police Lieutenant from upstate New York. He has served in multiple capacities as an officer. In 2017 he wrote an article about the training officers receive. He said, 

In reality, most police departments only train about two times a year, averaging less than 15 hours annually.

Soak that in for a moment. On average I do 400% more training with my firearms than police officers do.

Four times.

Now for some cars comparisons. “Guns are built to kill people and cars are built for transportation.” Interesting comparison.

In 2008 there were 304.1 million citizens in the U.S. 11,000 were killed with one of the 4,498,944 firearms. In the same year 37,261 people were killed with one of the 255,917,660 cars nationwide. 

I have two daughters. One is 8 and one is 3. I once heard someone say that when you have children your heart walks outside of your chest. I understand what that means now.

On February 14th four people proposed a law in my state that does nothing to protect, and will harm with unintended consequences. Two Senators (Lois Court and Brittany Pettersen) and two Representatives (Tom Sullivan and Alec Garnett) have proposed to sidestep the Constitution. HB 19–1177 “Extreme Risk Protection Order,” does not provide protection, and does not eliminate extreme risk.

In fact on June 27th, 2005 The Supreme Court ruled that the police did not have a constitutional duty to protect a person from harm, even a woman who had obtained a court-issued protective order against a violent husband making an arrest mandatory for a violation. To be clear, police are NOT required to place themselves in harms way to protect you.

That’s right, the Supreme Court has already ruled on this. The police have NO Constitutional duty to protect. That means that the police have no Constitutional duty to act based on someone’s feeling, beliefs, best interpretation of reading tea leaves, tarot, or emotional response. It is up to individuals to protect themselves.

But here we are, with senators and representatives that assume they have the authority to ignore the Supreme Court and demand that police intercede on the assumption of a crime being committed instead of crimes that are or have been committed. Frightening powers are being handed to courts to hold secret meetings to hear one side of a case, and based on the opinion of someone making a sworn statement, that there is a threat, we need to circumvent the Constitution and act without regard to due process, and steal from people based on say so alone.

“But there is penalty of perjury,” you say. Not really. Not unless it can be proven that the person that filled out the form did not believe that the gun owner in question would actually commit the crime. Here’s the problem with that nonsense. Belief is literally accepting a claim without evidence. So what is being proposed is that people that are claiming something without evidence can decide to have the police violate Constitutional rights.

I swore to uphold and defend the Constitution the day that I became a Soldier. What would you have me do now? Politicians are choosing to follow a course of action that violates the Constitution. I’m not a Constitutional scholar, but in this case I don’t need to be one. I know that the Constitution is under attack by this legislation.

Am I expected to make a special case because these are legislators? Am I supposed to sit on my hands and do nothing while laws that negatively impact my ability to protect my children are proposed? I have an ex-wife. We divorced two decades ago. She has lied to judges before, they knew it and did nothing. Cowards in black robes will not protect us from poorly thought out laws. They have no incentive, AND THEY HAVE ALREADY TOLD US WE ARE RESPONSIBLE FOR OUR OWN PROTECTION.

So what am I supposed to do? While bad laws are being written and proposed, what am I supposed to do? I am a skeptic, an Atheist, and a disabled vet. What do you expect me to do, when the police show up at 5 a.m. raising a ruckus, and I’m bleary eyed and confused and show up at my door to protect my family, armed because of the amount of noise, and on the other side of the door are jack booted thugs bent on wiping their asses with the Constitution?

What do you expect a law abiding gun owner, with a wife and two girls expecting to be safe in their home from unreasonable search and seizure to do? They have already executed one individual with a red flag law. Who would think after something so tragic, that it needs to happen in Colorado? What is it about this summary execution that these four individuals (Lois Court, Brittany Petersen, Tom Sullivan and Alec Garnet) liked so much they want to see it happen here?

What do you own? Right now, what possessions do you have? A car? A house? A computer? A phone?

At one point the U.S. economy was based around the exchange of goods. We could trade a good for a good or service. When money became ubiquitous we would trade money for goods or services. If I provided you money for a screwdriver, I owned the screwdriver at the end of the transaction.

This model changed while no one was looking. What do you pay for when you purchase something now? Suppose we consider one of the best selling products in the U.S. Let’s look at the iPhone. This device is not meant to be a computer. It is meant to be the opposite of an ATM. You put money into it.

An iPhone is only as useful as the data service provided to it. Data service is something you pay for. Wether you use T-Mobile, Sprint, or AT&T you pay to have this device connected to the outside world. Consider that banks and credit unions pay for their ATM machines to be connected to networks. Now you are paying for the convenience of having the same access to your money, all the time, in your pocket.

The cost of the ATM has been moved from the bank or credit union, to you. This is only the first example of technology moving the cost to you. The recording industry is an example of an entity everyone loves to hate. Let’s go bigger and talk about media and media companies in general.

You use your iPhone to purchase music, books, magazines, movies, and pictures. How much physical space have you taken up? None. To quote late night TV, “But wait, there’s more…” You didn’t buy any of that media. You used a subscription to purchase access to the media. You don’t actually own anything. You are allowed access.

Let’s look at the model again. You are paying (through a subscription) to access networks that you pay (through a subscription) to allow you to read books, listen to music, watch movies and play video games. The video games access servers that run as long as there are enough subscribers paying for access. When not enough subscribers pay for access, the server is shut down. Even if the game is one you enjoy, or is still playable.

The device you are using has limited resources. Each year improvements are made to the available resources in the device. As new resources are added the software in the device (that you get for “free” so that you can be charged for subscriptions) demand access to the increased resources. Eventually a functional device is rendered unusable because the environment (ecosystem) no longer supports the resource limitations of an older device.

Good news though, when the next device comes out you can buy the new device and receive a portion of the value of your old device. This way you can keep up with the change in technology. You pay full price for a device, own it for a year or two, and then sell it back to receive credit towards your next device.

Have you ever done this with a hammer? A hand mixer? A stove? No? What if told you I was going to sell you a stove for full price and then in two years give you 50% of the value of the stove towards a new stove? Would you be interested in constantly upgrading your stove? Likely you would not be very interested. Why? How many people see your stove on a daily basis?

Cars, Phones, even video game consoles are all publicly inspectable. Video game consoles? How so? If you own an XBox with Halo 2 you can invite a friend to play with you. If the have a PlayStation, they have to turn you down because of an artificial incompatibility. Microsoft doesn’t make Halo 2 for PlayStation. If your friend wants to play Halo 2 they have to buy an XBox. If friends are people that we have commonalities with, then this matters.

But what does this have to do with ownership. You are paying a subscription for access to networks so that the device you paid for can have access to video games. Not so that you can OWN a video game, but so that you can access video games. You access the people playing the games this way too. And again the company selling the video game decides when it’s time for you to move on from the video game you are playing.

You don’t own the game on media so you can’t resell the game. Since the video game connects to a server that you don’t own and don’t control, you can’t play the game past when the company that created the game and owns the server allows. You are paying for what used to get you permanent access to a game (assuming things don’t break) to get temporary access based on a companies timeline. Of course the same problem of resources increasing in devices over time leading to obsolescence applies here as well. Only the console companies aren’t as interested in giving you money for a used console.

Let’s talk about that car you think you own for a moment. Either you paid for it and have the title, or you didn’t (and don’t have the title). If you don’t have the title, you don’t own the car. But there’s more to it than that. There’s risk. Driving a car makes you a risk to people around you. This is why insurance exists. Even if you paid for the car, you are still paying for insurance, gas, and maintenance. You are paying for the risks involved with the car.

Ten years ago I received a prescription that changed my life. I am a 43 year old disabled vet that has been diagnosed with Attention Deficit Disorder. I have spent twenty years looking for the drug (under the supervision of a psychiatrist) that will give me that, “I’m normal now,” feeling. I tried many pharmaceuticals and have met with limited (no) success.

If I were to describe Attention Deficit Disorder it would translate to the familiar refrain, “capable of better and or more work.” My life is a story of missed opportunity, wasted energy, and spectacular failure. I am, by some accounts, my own worst enemy. I have had an average of two different employers each year for two decades.

The problem I have is one of executive function. I have been told something that I WANTED to know, and five minutes later can’t remember what was just said. I can make plans that sound completely reasonable, and fail to follow through because… I forgot. I can create exceptionally. My IQ was tested, it’s a non-issue.

When I heard of someone using a prosthesis to remediate the problem, I was intrigued. If I could find something that made it possible for me to interact with people in a manner that made them comfortable, did I not owe it to the people that matter to me? Should I not at least TRY this revolutionary device in the hopes that I would be at least average?

The psychiatrist that was attending me wrote a prescription for a “digital assistant.” It could be a tablet, a phone, or any other type of device that would assist me with executive function. I was elated. The ensuing decade has been amazing. I have done things that I could not have done, because I could not have followed through.

Now I discover that there need to be “smart phone free” zones. I can’t enjoy a public performance because I NEED to have a device with me. That people think they have all the answers on how I REALLY need to solve my problem, if I just did it their way, is both demeaning and insulting.

So I ask, could someone explain it to me like I’m seven, so that I can explain to my seven year old daughter why dad can’t take her to public performances?

I’m going to provide a simplified example of what layered security isn’t. Let’s assume you want to put up a physical wall. The technical term is “barrier,” but let’s use wall to keep it simple.

You start calling contractors and let them know that you are interested in having a wall put up. You schedule a meeting with three different contractors to hear their sales pitch. The first one shows you a picture of what you expect a wall to look like, the description matches what you expect a walls description to be, the material and thickness meet your needs.

The second contractor uses what appears to be the same graphics in their presentation. However, the contractor points out that their wall is actually two walls that are half as thick as the previous contractors wall. They tell you that this is because they implemented a security practice called “layered security.” “This improves security because if the first layer fails, you have a second one.” Everything else is the same, total thickness of the material, material used, wall height, etc. Except for the price of course. They charge twice as much for their wall.

The third contractor comes in and has a unique graphic that catches your eye immediately. They have a wall that is half as thick as the first contractors. Theirs is made out of the same material as the first contractors. They also have a line splitting it showing that it is “actually” two walls too, they’re just touching like the second contractors.

The major difference here is that they have another separate wall, well, not a wall exactly. It’s a chain link fence. They also tell you how important layered security is. They point to the fact that they have three layers, and even have a unique outer layer of security. They of course present the most expensive wall solution at four times the cost of the first.

Ladies and gentlemen of the jury, if I asked you based on this story what you thought of “layered security,” what would your answer be? Would you respond, “that seems brilliant?” Would you exclaim, “this seems like the emperor has no clothes?” Would you ask how you could get hired by the third company?

This is a common problem with people new to Information Security. They mistake “layered security,” also called the “security onion,” for what I have described above.

I could tell you a story about another company that builds impenetrable walls, because their walls have infinite layers… that are infinitesimally thick. But, they’ll tell you that it’ll take an infinite amount of time to get through them…

Instinctually, you know that something is wrong here. And you’re right, there is. Let me build a comparison example, and we’ll see what the difference is so that we can understand what layered security is.

At the last minute you meet with another contractor. They show you that they too will build the same wall as the first contractor does. Same height, same thickness, same material, same craftsmanship. “Well, okay, but I already have that option?” “We also include an alarm system that will alert you of any damage to the wall, or if anyone goes over it.” They tell you that the total system costs as much as the second contractors.

Now how do you feel? If security was the deciding factor, not money, would you purchase this “wall?” Why?

Layered security is often confused with redundancy. That was our third example. You actually have two walls (one is a chain link fence). They both exist at the same layer, and both function similarly, though not exactly the same way. If one fails, you expect the other to do the job the first failed at, but again, do the job a similar way.

What that last example gave you was security done a different way. If I were applying this design to network speak, I’d have a firewall with a SEIM. A firewall and a SEIM don’t operate at the same layer, don’t function similarly, and don’t require the existence of the other to function at all. Yet when used in concert, you have…

Layered Security

The term, when used correctly, describes an important concept. When the term is used incorrectly it provides a false sense of security and is an effective way to waste time and money.

Declaring the CISSP a “foot in the door” certification is to clearly misunderstand its purpose in todays Information Security Environment. The problem with the CISSP is not the certification per se, but rather the misunderstanding of what it is, what it is for, and what it documents.

The fact that there are people that do not take this certification seriously says more about the people that joke about it, than the people that hold the certification. Is this a certification that should be taken seriously, absolutely. “Average” people study for a year before they take the exam. The test is a grueling 6 hours. When one has taken the test and passed, you feel like you have accomplished something. This is because (after hitting every place I could find on-line) first time failure rates may be as high as 70% to 80%.

There is a claim that the material is worthless to 99% of people involved in information security. I find that claim fascinating as I have actually been responsible for fire extinguishers, fences, and lighting. Here is the first misunderstanding that needs to be corrected. This certification is for MANAGERS in information security. Think operations managers, project managers, or even attorneys. These are the people that need to understand why things work the way they do and the terminology that is used, but do not need to worry about doing it themselves.

The CISSP relies on experience instead of requiring demonstration of hands-on skills. This is because the certification is designed for people that will be leading the implementers. The reason that you need to understand the concepts is so that in communication with those that speak technojargon, you can translate correctly what is meant, and why. Everyone in middle management that is responsible for IT should be required to have a CISSP. Upper management should consider specializations. To claim that tangible “real” skills are the only thing of value is to miss that an army of workers with no direction accomplishes nothing. The CISSP can bridge the gap between an MBA and the IT security team they run.

If you are of the opinion that this cert is not what you want in your IT sec team, then find the one you do want. Select a vendors security certification. Cisco and Juniper have many to choose from. These certifications are outstanding for implementation. Need to certify someones ability to do a vulnerability test? How about an OSCP? Instead of demanding that ISC^2 destroy this test in lieu of another test that already exists, why not correct your view of what this test represents?

Why would someone be proud of their CISSP?

• Studied for a test instead of watching TV.
• Took and passed a test that most people fail their first time through
• You have documented that you have at least five years of related experience
• It can count as a significant portion of a college degree
• It documents a standard that you have achieved
• You can assist people in the same accomplishment

People, your understanding is broken

HR offices know little to nothing about the breadth and scope of information security. The people that work there are not required to understand the intricacies of what a particular certification means. The people that contact HR and request an employee determine what certifications are required. Arguing will not get you much.

As a CISSP keep in mind that you have more to learn. It should not be your only certification. If you earned your certification from a brain dump on line, you are part of what is called the paper tiger brigade. These are people with certifications that do not understand how to apply them. Examples are; Cisco Certified Network Professionals that have never touched a router, CHFI’s that do not know what tool to use to recover a file on a Linux box, Network+ holders that can not even subnet. Paper tigers reduce the value of the certifications they misrepresent.

So do what do I propose?

We need to document people that are paper tigers. When you hire one and discover they can not do the job, there should be a reporting mechanism to identify what the discrepancy was. As this individual moves from employer to employer there would be documentation of issues. If there are enough issues, the certification should be pulled. This way we can eliminate paper tigers that affect all valid certification holders by bringing down the value of the certification. Instead of demanding destruction of certifications, we should make sure we understand what the certification certifies, and be willing to document undeserving candidates.

If you’re in your teens or twenties you won’t read this. Your reaction will be “ew, a wall of text.” If you’re in your late twenties or thirties, you won’t read this. It goes against the socially “correct” position to have, even though what it asserts is factual. If you are in your late thirties to four times, you won’t read this because it doesn’t fit in your echo chamber. If you’re in your fifties or beyond, you won’t read this because you know better. But you don’t.

I sat and read an article from a media distribution outlet today. One of the big news companies posted an article about… well, it doesn’t really matter. Because this article, like most of the articles that you can find on-line, suffered from not having a human read it before it was posted. Words were missing from sentences. Incorrect homonyms were used. In general it was the usual, “slap it together and get it published.” Usage of English be damned, to hell with fact checking, get it out there.

CNN published an article by Michelle Lou and Brandon Giggs on April 2, 2019. The article talks about bridges in the United States. Just one of the MANY errors in the article:

Structurally deficient means that one of four key elements of the bridge is rated at 4, which is poor, or below.

Below what? Below standards? Anyone that speaks English natively would immediately detect that error. What this demonstrates is that CNN cares so little about its consumers, that it’s okay to skip the editing process, throw shit at you, and expect that this is acceptable.

Make no mistake, CNN is not the only organization that does not care. Not a day goes by that articles from ever news organization, written by “professionals,” has GLARING oversights in the quality of the work produced. It is NOT expected that professionals will be perfect. It IS expected that professionals will find their errors and correct them, BEFORE publication. Fox, MSNBC, Washington Post, it doesn’t matter. I can provide examples from any of these outlets.

The empty cloud

On August 6th, 2012 an article was published in Wired magazine by Mat Honan. In the article, he relates how the accounts he uses on line were destroyed over the period of an hour. First, he lost access to accounts in Google, then Twitter, and finally his AppleID was compromised. Mats Amazon account was a connecting link between Google and the AppleID.

To hear him tell the story the damage done to his on-line presence was preventable. Mat knew better, but still did not use multi-factor authentication, or on-site backups. He then continues to talk about how the hacks happened. Someone got into a service (Amazon), harvested data from them (last four digits of his credit card number), and used that data as an identifier with the next service (AppleID). Each service had different identity requirements, and treated identity information differently.

The reports of this attack were scathing. Tech blogs posted how-to’s helping users identify if they were effected. This was negative press, and no company wanted it. Initially, Apple suspended phone password resets. This gave Apple time to reevaluate their security policy. They realized they had a problem, and moved to fix it. Two months later they announced what measures they were taking to protect their customers.

Fingering you

In September of 2013 Apple announced a new iPhone, the 5S. It had hardware that could read a person’s fingerprint, and use it as a form of authentication. This change required a redesign of the hardware. No longer was security a function of just software. The phone could measure a physical attribute and determine if the use of the device were authorized.

And this changed everything. Under the hood, Apple had to ensure that all components that amassed information (all the little bits of hardware, from the fingerprint reader, to the storage location, to the processor) were legitimate. If someone stole an iPhone, the thief could open it and replace components. A simplification of the way the system prevents this from working includes reading unchangeable identities of the components. The name of this system is the “secure enclave.”

Apple started its iOS security at the hardware level. They also changed the way that iCloud stored information. Apple removed themselves from the security equation. They replaced components of their iCloud security with one way functions. This means that even Apple does not have a back door to the information you store with them. If you lose a password, access to your account by Apple is prevented mathematically. This means that law enforcement does not have access either.

“You can’t please all the people all the time.”

Apple took actions to protect themselves and their customers. The move started at the hardware level, swept through changes in the software, and was accentuated by changes in policy effecting iCloud.

They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. — Tim Cook. 

Customers applauded. Customers cheered. Then the updates came, and customers did not cheer so much anymore.

Error 53 first showed up around February of 2016. The unrecoverable error code shows up in iTunes when updating an iPhone to the most recent release of iOS. During the update the software identifies that a piece of hardware has changed. Maybe you took your phone to a repair shop not authorized by Apple. Maybe your cousin Frank fixed your phone for you. Maybe you wanted to save a few bucks and had your next door neighbor fix your phone.

What you will see, is this:

Apples explanation:

If your iOS device has Touch ID, iOS checks that the Touch ID sensor matches your device’s other components during an update or restore. This check keeps your device and the iOS features related to Touch ID secure. When iOS finds an unidentified or unexpected Touch ID module, the check fails. For example, an unauthorized or faulty screen replacement could cause the check to fail.

You can trust me, honest.

What, exactly, is Apple trying to protect me from? The name of this type of attack is man-in-the-middle. If I can see you when I communicate with you, I can establish that most likely communication is going directly from me to you. However, if we are in separate rooms, and someone has to carry a message from me to you, they may tamper with the message after it leaves my hands, or before it gets to you. To prevent this from succeeding we have to reach an agreement on a method for establishing that what I send, is what you receive.

So why are we worried about this in a phone? Assume someone steals my phone. The hardware inside the phone is connected together using wires. The fingerprint sensor is in a different room than the processor and the memory that compares what the sensor sees to a stored value. I could remove the fingerprint sensor and attach something that repeatedly tries to send the correct pattern of ones and zeroes until I get into the phone. This “brute force” attack is not elegant, but it is possible.

What were the publics reactions when Apple accounts were easily hacked? Class action lawsuit; of course. Right down to violations of the Magnus-Moss warranty act. Now, that we have fixed the problem, and secured everything down to the hardware level, what is the publics reaction? Class action lawsuit; of course. It is expected that the Magnus-Moss warranty act will rear its ugly head again.
 
 At the beginning of this story, Apple was guilty of providing people what they wanted, instead of what they needed. At the end of the story Apple is providing people what they needed instead of what they wanted. What is the result for the consumer if they fall victim to error 53? The customer buys a new phone.

This is a response to the linked article by Kasim Khan

Solid matter as we conventionally understand it does not exist in the universe.

Citation please.

For all particles are merely vibrations of energy.

This sentence makes as much sense as “giant green colorless midgets sleep furiously.” It is a delicious word salad with no topping.

Energy is defined as the ability to do work. There are three ways that you can have energy:

1. An object can have energy by virtue of its motion (kinetic energy)
2. An object can have energy by virtue of its position (potential energy)
3. An object can have energy by virtue of its mass (E=MC^2)

Even the atoms that form objects and substances that we call solid are actually made up of 99.99999% space.

True, but irrelevant to what you are saying.

What we perceive as our physical material world, is really not physical or material at all, in fact, it is far from it. This has been proven time and time again by multiple Nobel Prize (among many other scientists around the world) winning physicists, one of them being Niels Bohr, a Danish Physicist who made significant contributions to understanding atomic structure and quantum theory.

Nails Bohr was awarded with a Nobel Prize for demonstrating the structure of atoms (structure by definition includes solid matter) and of the radiation emanating from them. His Nobel prize has nothing to do with demonstrating that matter is just energy. This statement is as absurd as saying grass is just made of wavy.

“If quantum mechanics hasn’t profoundly shocked you, you haven’t understood it yet. Everything we call real is made of things that cannot be regarded as real.” — Niels Bohr

This is a quote mine. Quotes without context are like artificial flowers. Pretty and useless.

Everything is energy, including you.

Wrong. A thing can have the property of energy (the ability to do work), but everything is not the ability to do work. You are incorrectly using clearly defined terms here, and not making clear what it is you are trying to say.

All that you are is energy, and when you start to perceive yourself in this way, as an almost ‘spiritual’ being untouched by space and time, and unrestricted by an apparently physical body, the barriers within you will begin to dissipate.

You’ve not provided a rational argument for this to be factual. You may as well be saying, “all that you are is wavy,” or “all that you are is marshmallow.” Science has NOTHING to do with anything spiritual. It is a tool set that can not be used to support the supernatural. By definition it is not possible.

A great way of helping you reach these levels of perception is through meditation and self-contemplation.

Finally, something that science HAS said. Yes, science has figured out what is happening during prayer/meditation/self-contemplation. This is understood and documented in several medical journals. It does not include magic.

The atoms that make up your body are constantly vibrating at a very fast rate or ‘frequency’.

Not exactly right, but for the time being, we’ll let this stand.

If you are in a positive state of mind you will be vibrating at a very high frequency and this makes it very difficult for any negative energy to infiltrate you, but if you are unhappy or depressed and vibrating at a very low and slow frequency then you are open to all types of negative energy which will only serve to bring you even further down.

Okay, NO. Energy is the ability to do work. The ability to do work does not have an emotion. Let’s talk about “negative energy” for a moment. Negative ability to do work? Are you saying no ability to do work, or are you saying the ability to do the opposite of work, which is what exactly? And wouldn’t that take work being done? See how this is word salad? It sounds good, but it means nothing.

Based on this knowledge what we are at our essence is a vibrational being made up of pure energy

Your premises has been demonstrated incorrect, therefore your conclusion fails.

and collectively as the human race how we vibrate creates the reality around us

No. There is a measurable demonstrable reality around us, and that is what the tools of science measure and provide tangible results from.

Basically the universe resonates with whatever vibration we are giving off.

Not based on any claim you have supported, or anything science has demonstrated.

It does not matter if it is positive or negative, the universe will resonate.

You still haven’t shown that there is something “negative” to resonate… This statement is absurd.

The state of the world therefore is a result of the collective human consciousness.

Again, your premise is false so your conclusion is invalid.

The current state of the world is a direct representation of the average vibration that humanity is operating from.

Again, your premise is false so your conclusion is invalid.

War, famine, scarcity, violence, hatred, frustration and conflict are all found in the world because they are found within the internal state of humanity.

Define “internal state.” This may be true, but no one can tell because you are mixing concepts like an external state of matter (vibration) with an internal state of consciousness with no conclusive demonstrable causal connection other than the “sciencey” words you strung together.

Yet amidst all the conflict we are also witnessing something beautiful emerge. We are witnessing growth, love, kindness, expansion, forgiveness, and change; all originating in a desire arising from the depths of us all to return to our natural state so that we may move towards a future where all life can prosper.

Can you cite an article that supports this? Provide something measurable that shows how this conclusion was reached? How did you come to what is defined as “our natural state?” How did you determine that this “natural state” would allow all life to prosper?

This is the energetic awakening that is occurring on the planet today.

What the fark does this even mean?

Understanding the universe will not bring about change all by itself. It will allow us to see and comprehend the true nature of reality and of ourselves, but that alone will not change the world.

This is why we have a tool set called science. We can use the tools in the set to help us understand what is really going on out there, and determine what options we have to do something about it. We then use things like philosophy and ethics to help us in determining what should be done.

The transformation truly begins when we start to understand the principles of the universe, and then apply those principles to our life.

I could not agree more. I do not see where articles like this help that process in any way. If anything it confuses reality for magic or the supernatural.

The significance of this information is for us to wake up, and realize that we are all energy

No, we’re not, and you have not demonstrated that is the case.

radiating our own unique energy signature.

Define “energy signature.”

Feelings, thoughts and emotions play a vital role, quantum physics helps us see the significance of how we all feel.

Quantum physics has not a damn thing to do with how we feel. It is not magic. To say otherwise is to lie about what quantum physics is.

If all of us are in a peaceful loving state inside, it will no doubt impact the external world around us, and influence how others feel as well.

This nice sentiment may be true, and even if it is, science has nothing to do with it.

Feel love and abundance, and you will attract love and abundance. Spend your days doing what you are enthusiastic and passionate about, and you will manifest a life that allows you to pursue your enthusiasm and passions, whatever they may be.

Again, a nice sentiment, but science has nothing to do with this.

All of this contributes directly to changing the world and due to the higher energetic nature of vibrations such as love, joy, and compassion.

And we close with one last word salad that has already been demonstrated to have no actual meaning. Love, and joy are emotions, compassion is the outward demonstration of emotions. Please, stop trying to sound scientific when you have NO UNDERSTANDING of the material you are destroying.

In this episode Princess Abigail returns to the Denver Mini Maker Faire. She hunts desperately for R2-D2. As our intrepid young princess enters the faire she finds R2 serving drinks again. It appears astromech droids make for good bartenders, who knew? The work done on this conversion is… stunning. This IS the droid she’s looking for.

Princess Abigail has been looking forward to this Maker’s Faire since she attended her first one, THE first one in Denver last year. You can see the record of her adventures here. She was excited to build a project at the SparkFun booth. When we found it, she was disappointed to see that there was no Simon or watch project to speak of. Her Jedi guardian informed her this was likely due to a lack of space for such an undertaking, and potentially a reality of the economics of this side of the galaxy. She enjoyed the FLIR demonstration, the “printed” circuits, and digital synthesizer.

The Nerdy Derby was exciting to watch, but the impatience associated with being four prevented the princess from committing the time necessary to enjoy the derby itself. Her Jedi escort informed her that he would be able to acquire the vehicle blanks and 3D print the parts needed on his prntrbot. They could have their own nerdy derby, and the parts could be whatever colors she liked (and even made to look like My Little Pony).

Next she would be afforded the opportunity to make a “musical instrument.” After assembling it from hanging file folder bits, some paper wrap, masking tape, and rubber bands, she was able to reproduce… the mating call of a bantha? Well, it made noise, and at her age, noise was acceptable.

The synthesizer petting zoo was delightful. Many times she asked if she could acquire such goods to take back to her star system. Her Jedi escort reminded her that they were there to experience the entire Faire, and not just loiter at one particular location.

DenHack was the next booth that gave her and her Jedi escort pause. To understand the engineer there (identified as Radio Shack), this demonstration was one of using cheap stuff to produce an expensive simulation. There was an entire ships bridge constructed from inexpensive tablet computers, connected to an inexpensive laptop, producing an amazingly realistic view of a starship in space. The unique component of this demonstration was that the different positions were required to work together to accomplish tasks.