Skip to content

2024

  • 5 min read

Too much (corporate) MFA

I work for a company that needs good security.

They recently re-organized their network infrastructure and let the cyber guys build whatever they wanted to build "in their image" and of course, now everything requires authentication. Email, Teams, AWS, VPN, command-line tools, and even on your work laptop, certain privileged commands are limited by dzdo (more modern sudo) and the laptops, servers and VMs are all whole-disk encrypted. APIs are turned off for fear of security exploits and people are just generally upset about the amount of security. It's a horrible environment.

There used to be a saying, "security is the inverse of usability" and I tend to still agree that the saying holds water.

The the days of startups and the wild west of the internet, there was a philosophy of the "hard crunchy outside and the soft gooey center" which meant that there was a firewall surrounding all of the internal networks and everything inside of the firewall was pretty much open and accessible by anyone who was allowed inside the firewall (by being in the office or access via VPN). This was fantastic. People could do whatever the heck they wanted to do. The developers were happy. Sysadmins had very few points of entry, so monitoring for intrusions was in just one or two locations. I get that "cyber" didn't really exist back then for most companies and the world was a different place, but it really was the best of all options.

Nowadays, "cyber" has their fingers everywhere. They control your browser. They limit what software is installable on corporate laptops and which commands can be run. They require encryption everywhere even when the data doesn't leave a system (like communications in-flight inside of a kubernetes cluster for example). They limit urls on the edge firewalls. They install wildcard SSL certificates that are loaded into the root cert store on laptops so the firewalls can do man-in-the-middle interception to peek inside of HTTPS requests that transverse the firewall. You can't just reboot a server or VM now because the whole-disk-encryption password has to be entered before the server will boot. They run multiple agents on every computer that can that watch software versions, open ports, and use peoples' laptops as network scanning agents. And you can't use USB thumb drives or hard drives anymore. They're forbidden.

Turning off APIs removes the option to do any kinds of automation. APIs are good things! Automation is good. It improves performance. Stop making us do everything manually. Computers are powerful. Why neuter them?

How can "cyber" be happy with the number of times someone needs to log into the corporate AD server, enter their username, password and MFA every time they switch to a different app or service? Email, O365, ServiceNow, Time-keeping, etc. They're all different systems but auth from AD and AD cookies expire after just a few minutes, so we have to re-auth dozens of times a day! Passwords need changing every 90 days (which NIST has proven to be WORSE for security and encourages poor password creation). They have to deal with the same systems too. Don't they get fed up with the number of times they need to authenticate in a day too?

Even modern commercial apps don't require constant auth like corporate security does. Gmail keeps login cookies for days if not weeks and there's no issues there. Why does corporate security need to be so anal-retentive about authorizing so many damn times a day? OMFG!

I was thinking. Can't we use the old adage of the "hard crunchy outside and the soft gooey center" in today's world? Provide VPNs for every project that needs silo-ing? Have a DMZ network for things like email, chat, phones, corporate services, etc. Use on-disk encryption at the SAN-level and take it off of the VM-level? The only difference would be that cyber wouldn't know what's installed on peoples' laptops and authing would only happen once when punching a hole in the firewall or walking into the office.

Physical security is ok with the locks only being on the outsides of the office buildings. Once you're inside, you can move from office-to-office without issue and bring anything you want with you in and out of the building. If this is allowed, why should the network/laptop/server security be any different?

Don't even get me started on password/secrets vaults. Cyber doesn't like that users keep passwords floating around in 100 different places and ways, so they came up with a password vault. Now all secrets and passwords are in a single location and accessible by anyone that can auth. So, Julie in HR who's password is snoopy123 can access every password that the organization uses for everything! Does that sound like a secure system to you? Now your one personal password is even more important to not lose. I did some asking around when password vaults first arrived on the scene and the authors of the password vaults even admitted that the only good reason for password vaults as far as security goes is that AFTER an intrusion, the access logs can be checked to see who requested the password used in the intrusion. That and automated password-rotation is really the only reasons that I can see using a password vault over the traditional method of password management.

Personally, If I were designing a new secure infrastructure, I'd make a damn secure VPN and not use any external services (Office 365, I'm talking to you). Once you're inside the corporate firewall, feel free to use email with a normal email/password, chat can be done internally, we don't need Teams or Slack or anything crazy like that. Firewalls can allow NAT'd traffic to stop any unwanted outside connections from coming in. If this were the case, the only thing that we wouldn't have that corporate security wants is control over the user's laptop. There's nothing stopping someone from downloading a virus. There's nothing stopping an employee from picking up a USB thumb drive from the parking lot and plugging it into a laptop and a virus running rampant. To protect against these things, use password protection (and allow for password vaults) to add an additional level of security to sensitive things (databases, internal documentation, proprietary code repositories, etc.) which are already available in most tools. Personally, I don't see anything wrong with the old way of doing things. If/when an employee leaves, their VPN access is revoked and that's that. The door's locked.

If someone from "cyber" can tell me why the old way is bad and the new way is better, please tell me, because I'm so frustrated every time I have to re-authenticate everywhere, all the time, that it's the number one worst part of my job.

  • 4 min read

If I were to run for president

My platform would be:

  • Term and (upper) age limits for SCOTUS, congress and (V)POTUS

    • The world belongs to the young. They should be deciding their own fate, not the old and disconnected fogies that are currently in power.

  • Computerize as much as possible in the government and give the poor an easy way to access government services (free phone, computer access, whatever is needed)

    • Too much of the government is run by very old computers and even a paper system. It's way past time to modernize. Very important systems (i.e. FAA) can keep paper as a backup as they already do.

  • Transparency for everything (that's not a military or intelligence secret)

    • Publish stats for everything as soon as possible so FICA requests aren't even needed anymore. Where does the money go? Who is doing what? Expose salaries of everyone who gets paid with tax money. In today's day and age, it should be easy to make information available to the masses quickly.

  • Make illegal:

    • Gerrymandering
    • Lobbyists in any form
    • Political campaign donations (and cap campaign spending to something reasonable where you don't have to be a millionaire to run for office)
    • Political special interest groups
    • Presidential immunity and presidential pardons

  • Allow vote-by-mail in every state.

  • Legalize marijuana across the country. Keep all other harder drugs illegal.

    • I don't smoke it, but it's legal almost everywhere already. This would allow pot shops to put their money in banks and make the system more secure overall.
    • Full amnesty for anyone in jail or prison for marijuana-related offenses. Restore their voting privileges.
    • Honorable discharges for anyone discharged from the military for marijuana-related reasons.

  • Federal help for any 'serious' drug addiction rehabilitation

  • Audit and modernize the welfare system - get rid of loopholes.

  • Guns:

    • Annual accountability audits. Just like annual taxes, let's make sure that the weapons that you bought are accounted for and in the hands of documented individuals. This is an effort to get weapons out of the hands of people who acquired them illegally. Proud weapon owners would be very willing to go through their weapons one at a time and show that they're in good working order and owned by the documented owner and incentivize them to not sell without documentation.

  • Police:

    • Get rid of military-style gear, but keep riot gear. If military force is required, that's what the National Guard is for.
    • Get social services to work side-by-side with police during every house call.

  • Very nice homeless shelters in every city that provide safety, privacy, a place to sleep, eat, clean and free WiFi. Nicer than tents, but not as permanent as a real house, perhaps partially exposed to the elements to encourage only temporary occupation.

    • For those homeless people that are not drug users, they can always use existing homeless shelters, but they're frequently not safe or family-friendly.
    • For those who are drug users and don't want to change their situation or aren't allowed in today's homeless shelters due to their drug use they also need a safe place to live with access to rehabilitation services.

  • Open the borders - wide open. Let everyone in that wants to come here. The Statue of Liberty says to do it. We should do it.

    • Let the people in! 99.9% of them just want asylum from a horrible country. The other 0.1% will be caught in our very good justice system.
    • Add more immigration judges to increase the speed of the immigration process - currently years, should be weeks or at most a few months.
    • Take the rest of the border budget and put it into infrastructure to add more train/rail and fix the ageing highways and bridges in the country.
    • Fine the immigrants that are here illegally and provide a legal path to citizenship.

  • Get rid of daylight savings time

    • Long overdue - doesn't help anything

  • Double (or even triple) the money for public education across the country

    • Encourage the most popular YouTubers to teach a school subject or get the YouTubers that already are teaching these subjects and super-popular to become part of the curricula.

  • Make sure that US Veterans get the help and medical treatment that they deserve no matter what the cost.

  • Higher taxes for billionaires - reduce or get rid of any large tax loopholes or incentives that keep them from paying their fair share.

  • Higher taxes for billion-dollar companies. Get rid of tax loopholes that keep companies from paying their fair share. Other non-tax incentives to build in certain states or cities can stay in-place.

  • Lower the cost of higher education using whatever means necessary back to a couple of thousand of dollars per semester. College costs are way too high and the middle-class are struggling to send their kids to school nowadays. Work towards a free federally-funded system if it's possible.

  • Adopt the European/Canadian healthcare/education system and work/life balance guidelines.

  • Put Steve Bannon, Roger Stone and Donald Trump in prison, but in the same cell - just because I think they deserve it. :)

  • 1 min read

Graphing Trump Lawsuits

Using public data, these are the causes and results of the trump lawsuits that are available via public records 1 (more than 50% of the court records were not made public).

  1. source: https://www.usatoday.com/pages/interactives/trump-lawsuits/ 

  • 2 min read

Ideas for modular homeless shelter

basic concept

A friend of mine convinced me to finally visualize something that I've been kicking around in my head. I always see homeless sleeping in tents on the side of the road or under an overpass and think to myself, "there's got to be a better way", so I finally built something.

I wanted to design something that could be used as temporary shelter. Not something that someone would really prefer over a real home, but something that would be safer than a tent on the freeway. Something that could house all kinds of small families, drug users, mentally challenged people safely, be easy to clean, be something that someone could call their home and provide some basic infrastructure for those less fortunate.

In the images on this page, I've designed a modular homeless shelter made of concrete that provides partial shelter, lighting, power, heat and water and is easily cleaned. The modules can be lined up herring-bone-style and in the rain, they'd even self-clean their neighbor. The entire collection of modules could all drain freely. To clean a module, it would only require a hosing out of the module. In the images, green represents a grate-covered drain. Red represents a heater. Blue is the sink.

There would be a community bathroom with showers elsewhere in the camp and it might be enclosed with a wall or fence to keep people out who haven't qualified for the shelter or who is potentially violent.

This is how the modules would "stack"

This shows the heater on the "bed" side of the shelter and the sink on the "drain" side.

I'm sure that not much would come of my design but I figured that I'd put it out there just in case...

  • 4 min read

How do GPS receivers actually work

I had to give this some thought because my pothole finder tool that I wrote during the summer of 2023 isn't providing very accurate pothole locations it turns out. :(

Ok, so I'm driving down the street, right? When I'm watching my phone and I have the map app running, I see my car dot following my actual location, which I expect. I know when I drive through an intersection and a few seconds or a few updates later, I see the dot on the map drive through the intersection. Ok, I get it, it takes a second or two to get the location from the GPSs. It takes the app a second to update, etc. No big deal.

However, using my app, I have a button that I press when I pass over a pot hole. I want to "drop a pin" on the map when I press my button, so the road repair guys can look on a map, zoom in and find exactly where my pot hole is located and start the work of filling it in.

Well, it turns out mixing real-world location and time with a GPS signal isn't as simple as it turns out.

As I'm driving down the road, the GPS is providing my app with lat/long pairs and other assorted information, however it's not as easy as just using the last GPS location that the app was given.

As I'm driving, let's say I get a GPS location at location "A". The actual location of tick "A" is a mish-mosh of average locations based on the different times that were received from the different GPS satellites that my receiver is listening to. If I have enough satellites overhead, I can get a lat/long, if I have more, I can get elevation and even more accuracy. This is all well-known however if I'm a fast-moving object, which locations between tick "A" and tick "B" am I getting? I don't really know how it happens, but I can either assume that it's one of two things. It's either an average of all of the locations that were calculated between point A and point B or it's the last location between point A and point B. Either way, when I press my "found a pothole" button, the location that is available to the app is much further behind where my car is actually located.

My initial simple fix was to set a flag that the button had been pressed and the time that the button had been pressed. When point "B" is given to the app, I calculate the percentage between point A and point B that the button had been pressed (based on the times that the GPS had given me point A and point B) and figure out an average percentage of distance between point A and B the button was pressed. I then calculate the lat/long of that location based on the locations A and B and the percentage of distance between them.

Still, locations weren't showing up correctly on the map. :( Grrr!

I can only assume that the GPS location that I get from the receiver is > one tick "old" as far as location goes. I don't know how the GPS works internally and there isn't any real information about the internal workings of a GPS receiver. Anything I found about the resolution of GPS mainly references the legal stuff and the "within 30 meters" accuracy that the original GPS spec included after the government removed the on-purpose jitter from the non-military time signals.

So the solution?

So, I'm adding a fudge factor into the code and tweaking it enough until I can drop a pin and the pin will actually show up at the correct location. It's a long and drawn-out process. I modify the code, re-install my raspberry pi into my car, drive around the neighborhood dropping pins as close to the corners of the turns and as close to the middle of the intersection as I can when I drive around. After 10 minutes, I go back home, load the dropped pins into Google maps and check how close I am to the actual locations that I think that I dropped them. I'm getting close to being accurate, but at the time of this writing, I'm at 1.5 "fudge-factor" ticks extra when I drop the pin from the GPS location, meaning that the pin isn't dropped at point A, point B or even point C, but somewhere between point C and point D which haven't even happened yet. If I'm accelerating or decelerating at the time I drop a pin, this "fudge factor" calculation would be way off, but it turns out driving around, I tend to keep a pretty constant speed, so the "fudge factor" amount actually works out pretty well.

  • 1 min read

What's with guys not being able to compliment women anymore?

I brought this up with a friend of the family and she was confused and thought (like I did) that it was still OK to compliment a woman about something about her. I complimented her and she appreciated it.

My wife and daughter think differently however. They said that it's not ok for a guy to compliment any woman on pretty much anything. Looks, clothing, hair, shoes, ... Anything.

I was re-watching "Only Murders in the Building" (Season One) with my wife and daughter and this same topic came up.

From the show:

You need to relax, okay? Just have fun. Laugh. Flirt.

Isn't it insulting to flirt now?

Well, who the hell knows?

Suddenly, it's rude to tell a secretary she looks pretty in a pair of slacks.

No. To that whole sentence.

Oliver: Compliment her purse. If it isn't on their body, you can like it.

No. Again, to every word that's coming out of your mouth.