Tuesday, July 20, 2010

Eureka! It's supply and demand, stupid!

I've been twisting for a very long time over the whole 'vendors should pay for vulns' mantra that has recently been enthusiastically revived by a bunch of independent security researchers who, to the best of my knowledge, have never actually worked for a software vendor to understand the engineering realities of developing enterprise software.

Tonight I realized why vendors don't need to pay a dime, and it has nothing to do with vendors buying silence or two researchers finding the same bug independently and the second researcher going Full Disclosure on the vendor because the first researcher already collected the bounty.

We can all stop debating what a critical remote code execution bug is going to be worth when there is an open market for vulnerabilities. An open market requires competition. And there will not be competition. Who is going to buy Apple bugs? Apple. Microsoft sure as hell isn't going to buy them, not without a whole lot of up close and personal attention from the nice folks at the DOJ. So let's say Apple offers $10 per RCE. Whaddya gonna do about it? Whine? Go sell it to iDefense? YOU CAN DO THAT TODAY.

So simple it makes me giggle that I didn't see it before. Econ101.

~E

Labels: , , ,

Sunday, July 04, 2010

We're All Gonna Die Someday

That title wouldn't typically be associated with optimism. Bear with me here. Lately I have had a number of reminders of my mortality, all in the span of about two months. It has been a bit overwhelming and has forced me to consider how I am living, and what is important to me. The time I have left is shorter than the time I have traveled. The 'how would you live your life if you knew you only had a short amount of time left' theory is popular in movies and books, and even something easy to say you are going to do. It is hard to live though. It is really easy to allow fear to lead you to settle for the known, for something comfortable, something good enough. Fear can make you run, but fear can also make you stand still. I spent 2009 standing still. I was so afraid I would never find what I want, so afraid I had made mistakes, so afraid I would settle, I was too afraid to even try.

I am not afraid of dying. I am afraid of dying with regrets for the things I didn't do, I am afraid of settling for 'good enough'. I don't want to look back in regret on the time I had, and wonder if i wasted it. A tolerable life is not enough. I've thrown my world into total upheaval to find more than that. I want bliss, I want joy, I want growth and new experiences and exploration. I want to see the world, I want to experience all life has to offer. That is going to take time and is almost certainly be a hard road and I can't do it if I am too afraid to go outside and expose myself to it. If I don't get on the road, I'll NEVER get to where I want to go. And where I want to go will be worth it. And that is why I am optimistic. Don't get me wrong, I destabilize a bit every time I get a visceral reminder of the fact that time is moving quickly and there is still a lot left that I want to do with my life. I'm scared I won't get there. But I look with a new respect at what I have, the happiness I have, and find opportunities to experience new things every day. And I owe it to myself to continue actively living my life as best I can to achieve my dreams.

I'm going to get there. And if there is some unforseen tragic accident in which I die tomorrow, it will be knowing that I lived as fully as I could to achieve my dreams.

~Elphie

Labels: ,

Friday, July 02, 2010

fanfuckingtastic

I notice I am swearing a lot lately. A lot more than I used to. It actually makes me a little uncomfortable, and I'm working on cutting back on the F-bombs. But dammit Jim, I'm an analyst, not a linguist, so I broke down my last blogpost and discovered the following things:

ONE:
1,222 words
16 swear words*

that means just 1.3% cussing. That doesn't seem so bad.

TWO:
I copied my last blogpost and pasted it into a Word doc to get the wordcount and GODDAMMIT IE8 SUCKS ASS for not having a spellcheck function. Hello, it's a 2009 product, who keeps cutting this goddamned feature? Why do I have to write my blog in Word so I can have a spellcheck feature and then copy it into the browser? I can't possibly be the only person generating content on the web.

Workaround: Use FireFox. *sigh* I just wish FF didn't crash so damn often.

~Elphie


*douchebag not counted as swearing


(this blogpost contains 3% cussing)

Labels: , ,

Wednesday, June 30, 2010

Fuck You, 2009.

2009 was a bad year.

No, let me rephrase that.

2009 was a totally shitty year.

That might not be an adequate description either.

2009 was without a doubt the hardest and worst year of my entire life, where I saw some of the darkest days I have ever experienced.

I am glad it is over.

I have been thinking a lot lately about writing about 2009. I couldn't write about it at the time, I was all emo and shit, it would have just annoyed you. Hell, it annoyed me so much I quit writing in my journal. I'm not going to go back and dig all that up to spew here. The short rundown is that everything was going sideways on the fasttrack to fucked up, and a lot of it was totally out of my control. My career was totally fucked, I'd gone from working for one awful manager in a totally dysfunctional team to reporting to what could possibly be the most arrogant elitist misogynistic douchebag in the company who wouldn't have hired me and totally changed the job I had been hired to do by my the prior team manager (who I think I only worked for for about a month before he left the team). My personal life was a train wreck, compounded by the fact that I felt completely incompetent by the decaying orbit of my career and the still smouldering crater of my divorce on the personal landscape. I ended up going through a lot of therapy and on anti-anxiety and anti-depressant medications to try and re-set my brain, but the fact that I was depressed and out of control of my neurotransmitters made me feel like a failure - why couldn't I just get happy?

Things started getting better when I quit my job, funny but being unemployed let me get off the anti-anxiety meds. I took five months off and lived off savings while trying to get my shit back together. Today I've got a solid job and I'm proving to myself again that I'm not just a one-trick pony who got lucky and was one of management's darlings for awhile, but truly competent and useful. I've worked through a lot of my personal issues and while I won't lie and pretend everything is exactly how I dreamed it would be, I'm healthy and happy again and have been off the anti-depressants for 2 months now.

So why the hell am I blogging about this at all? Am I looking for pity? To create drama? Send secret passive aggressive messages to people? No on all counts (let's face it, that bit about the misogynist douchebag was hardly passive, and I'd tell him that to his face if I ran into him). I'm writing about this because writing is part of who I am. If you go back and read the blog's history, I write about a lot of things, but there is a thread going through much of it that relates to my personal journey of self-awareness, and my search for happy. And I've been journeying a lot lately, so I expect I'll be spending a fair amount of time here. I don't know if anyone reads this or cares, but writing and publishing it makes me feel better. There are some things I am intensely private about by choice. But a lot of things I have a need to express, because keeping them inside feels shameful when they shouldn't be. And if you want to judge me for my experiences or feelings or the fact that I'm sharing them with the world, fuck you. This is who I am, and I don't need negative energy in my life. You should stop reading my blog.

So 2009 sucked ass. There were times that I wanted to run away and start over - new town, new life, new job, maybe even a new name, new hair, new everything - anything that would make me be anyone but me. Everything was so fucked up, I just wanted to try again, get a second chance to do things right. But that wouldn't have actually fixed anything. I would have just moved all my emotional shit to a new geography. I had to work through it. And working through it SUCKED. There were friends who helped me when I would let them, friends who brought me smoothies when I couldn't eat anything, friends who would talk to me for hours while I cried, hell I even re-established a relationship with my mom, who I hadn't seen in 9 years but ended up talking to near daily. And while I NEVER EVER want another year like 2009, I learned a lot for it and am a healthier person today for having experienced it.

Possibly the most important lesson I learned was to let go of things I can't control. Stress is inefficient and a waste of energy in many cases. Missed your flight? Well, not a whole hell of a lot you can do except rebook and wait. No point getting upset about it, it doesn't change the situation one bit. May as well get a snack and something to read, and settle down in the airport for some people watching. So many things that used to annoy / aggravate / upset / stress me out, they all seem pretty small potatos now. I've returned to my prior state of being a hopeful optimist, but gained the traits of being much more laid back and relaxed in general about things.

Part of learning to let go of things I can't control was understanding that even if I can understand WHY something is the way it is doesn't mean there is a damn thing I can do about it. Life is not an engingeering problem to be solved. I was trying to figure out WHY things were the way they were, thinking if I could measure and quantify that, I could do something to fix it. And the inability to fix things and make myself get better was making me feel like a failure.

But some things can never be understood. And even if they could be, they still aren't things in your power to change. Sometimes you can do everything right, and you still don't get the outcome you wanted due to variables outside of your control. Shit happens. Doesn't mean you failed. In fact, I probably stay in shitty situations too long because I think if I work harder at fixing it I can make things better, but maybe the reality is that THAT is the failure. Failure to recognize the writing on the wall and walk away from an unfixable situation before hitting rock bottom. Dunno. I don't know that I'll ever be able to balance walking away with the feeling that giving up is a sort of personal failure. We'll see.

For now, I'm just thankful I came out of 2009 stronger and healthier, and while I was broken in almost every way concievable during it, it didn't break me forever. I am glad I was able to learn something from all the darkness. I am thankful that 2010 is a better year. And I am thankful for the people I love, and the people who love me. That is enough.

~Elphie

Labels: , , , ,

Friday, March 26, 2010

CanSecWest

Single track, super smart technical content (well, except maybe the idiot from McAfee), high quality attendees... This is a good conference.

Charlie Miller's talk on fuzzing was interesting from an analytic point of view, showing the curve that illustrates the point of diminishing returns for fuzzing and the volume of failures you will have in order to achieve a few successes (exploits). Key take away for vendors: keep fuzzing. A lot. Because if you don't, someone else will.

Pwn2Own was open its usual 3 days but all the exploits were on day 1 again. iPhone was the only phone that was hacked, and three of the four browsers were hacked (IE8, FireFox, Safari). I carry an iPhone, dammit. Thinking about switching from FF to Chrome though. I doubt it is bulletproof, but if no one is targeting it because it's market share is too small, I'm ok taking advantage of that security-through-obscurity for now.

Labels:

Stupid Boys

I have a female coworker who is a badass tools developer. And at CanSec not only was it assumed she must not be here for the conference (female), but that she was the shiatsu massage therapist stationed at the con (Asian).

Eventually this retarded attitude at conferences has got to change. There were so many women at CanSec that Dragos ran out of ladies jackets and had to rush order more. Speaking of which, the jackets are pretty awesome. Probably the best con swag I've gotten in my 7 years of attending security conferences.

Labels: , , , , ,

Sunday, February 21, 2010

I get it now

You seem very well
things look peaceful
I'm not quite as well
I thought you should know


Hurt is easier to swallow than anger. Alanis probably figured she was going to give herself cancer or some shit if she didn't get the rage out somehow.

Friday, February 12, 2010

the things people can't talk about

It is hard to keep things hidden inside. It is painful and sad and it hurts, because the act of keeping something secret somehow invalidates it, makes it feel dirty and shameful even when it shouldn't be. Whether your hiding it to protect yourself or to protect someone else, the outcome is the same.

When a person hurts inside and they don't want to show it, they form a defensive shell and don't let people in. It is safer that way. They act like everything is fine, like they are bulletproof, like nothing ever bothers them. They project confidence and happiness, and they save their tears for in private where no one can see and suspect they are vulnerable.

And while they protect themselves, they struggle with feeling like they are being artificial, unauthentic, disingenuous. Identity becomes fractured between public and private. They hate who they are becoming but they feel they have no other choice. Who they are and who they present to the world are different things. And eventually this becomes routine, the new normal. Life goes on.

Someday, if they are lucky, the pressure gets released and they find themselves in a time and place with people where they have the opportunity to be themselves with and they don't have to hide (if they have the courage). They don't have to be ashamed. Hermey gets to be the dentist.

Labels: ,

Wednesday, February 10, 2010

Dream Rehab

I strongly believe in self determination and that you have the ability to make your future what you want it to be. But there isn't a damn thing you can do to change the actions or decisions of other people involved no matter how hard you try. That doesn't make you a failure, just a dreamer who can't see reality. Sometimes things change and you can't see it, you only see what they were and not what they are. It is hard to let go of hope. I have more experience in this area than I'd like. It is hard to accept the death of your dreams. It hurts a lot, and the bigger the hurt the longer it takes to recover. But you move on because there isn't really any other option. As they say in The Shawshank Redemption, "time to get busy livin, or get busy dyin".

Thursday, September 10, 2009

Bioethics, meets Sports

Wow. I'm fascinated to see what comes of the case of Caster Semeyna. She is an 18 year old female who apparently is sterile, as she has internal male testes instead of ovaries. But she apparently also has a uterus. She is dominating her track events because she has massive amounts of testosterone, but is not guilty of steroid use and hasn't broken any competition rules.

So now what? Let her continue to compete against women? Make her compete against men? Don't let her compete at all? She is at an advantage compared to the other women, but is it truly "unfair" if nature made her that way? Is it any more unfair than a swimmer with ridiculously large flipper like feet, or a bicyclist with unusually large heart/lungs?

I'm curious about the chromosomal tests that were run. Regardless, a very interesting situation.

Labels: , , ,

Wednesday, August 26, 2009

A little birdy told me

I may, or may not, tweet from time to time.

Labels: , ,

Thursday, August 20, 2009

Secret hopes

Is it wrong that I secretly hope Michael Jackson staged his death so he can launch the most groundbreaking comeback tour ever? That is the only thing that makes his passing remotely interesting to me. Sorry for his kids and all, but he hasn't been culturally relevant in years. To me, at this point he is just a person like everyone else who died that day.

Labels: , , ,

Sunday, August 16, 2009

and your little dog too...

If the owner of the yapsack outside doesn't do something soon, today might be the day I finally put down Toto.

Labels: ,

Wednesday, December 17, 2008

Microsoft Live has no respect for users privacy choices

I am a member of a small private blog that discusses matters of a highly personal nature. There are a couple dozen members. The blog was hosted on spaces.live.com, which recently upgraded its services/UI. As part of this upgrade, the ability to comment anonymously on blogposts was removed. Anonymous comments can be abused by spammers, I get that, its why I moderate comments here on the Hideaway. But on a blog with restricted membership I think the threat of spam is about nil. Is having a system intelligent enough to respect user privacy in that situation too much to ask for though? Lemme seeā€¦ IF blog has restricted membership ALLOW blog owner to SELECT whether or not to allow members to comment anonymously. Yeah, that's some wicked complicated logic. But whatever, new policy moving forward, I can live with that. Sucks as people are less likely to comment and engage in supportive discussion - I know I'll think a little more carefully about what I comment since I am personally identified - but at least I know that going in.

But no, it isn't that easy. Because Live went and applied the policy retroactively so all the anonymous comments posted in the past NOW EXPOSE THE COMMENTER'S NAME. Thankfully the blog owner noticed this and shut the blog down completely. Apparently un-selecting the 'use my profile' box and entering a pseudonym for your comment is entirely unsupported now AND they were tracking commenters identity on the back end anyway, so now with no warning what-so-ever to users, the privacy choice users made to un-select that box has been reversed.

Did I mention I'm pissed off?

I will NEVER, NEVER use a Live blog/mashup/cloud offering again. I'd ditch the email too if I didn't need it for my gamertag. Asstards.



~Elphie

Labels: , , , ,