Discussions
Reply to: DYI Air Purifier for Wildfire Smoke Posted 4 weeks ago
Reply to: News of the week 2023-07-24 Posted 3 months ago

TCB just means the parts of the system that you have no choice but to trust.  The ideal system is trustless. Yes, I mean prefer macOS over Linux.  As much as I love Linux (and used it for my main desktop OS for many years) it hasn’t kept pace with escalating threats as well as macOS has. Apple silicon appears to be one of the best hardware choices at the moment, from a security standpoint. An ex-housemate of mine got government security clearance so the NSA could brief him on how to make Gmail more secure, so yes that’s a good choice.  🙂  It won’t protect you from the NSA, of course. 2FA is important and hardware keys are the best.  I use YubiKeys.  If you buy one, buy it directly from the manufacturer instead of a reseller to avoid supply-chain attacks. Use Signal for private communication and use the safety number verification feature.  As far as we can tell, Signal is the only communication system that’s secure. I am responsible for software development and associated application security for some internal and public facing applications. … What’s a good approach for educating myself on this? Again this depends on your company’s threat model and associated defense budget.  If you have the budget, hire an external company to do a penetration test of your applications and that will probably wake you up with cold water very quickly to potential problems.  External audits of source code can also be helpful. In general, for software development:  If you haven’t already, recognize that complexity is the enemy of secure software.  Object Oriented Programming was a mistake and unnecessarily increases the complexity of software.  Adopt the Function Core/Imperative Shell model for writing software.  Adopt the principles of functional programming in your applications by composing small, pure functions.  Learn functional programming but stop before it gets into category theory because otherwise no one else will be able to read your code.  Educate your other developers to do the same. If your software is a custodian of personal data, e.g., of customers, then treat every last bit of it as a liability and aggressively winnow it down. Recognize that in the modern era every professional software developer needs have to have security skill and that skill must be updated constantly.  Read the Crypto-Gram Newsletter for keeping up-to-date with macro trends.  Find other specialized resources that are relevant to your line of work to keep educating yourself.

Reply to: DYI Air Purifier for Wildfire Smoke Posted 3 months ago
Reply to: The Pandemic is Only Beginning: The Long COVID Disaster Posted 3 months ago
Reply to: The Pandemic is Only Beginning: The Long COVID Disaster Posted 3 months ago
Reply to: News of the week 2023-07-24 Posted August 19, 2023

That’s a great question.  Cyber defense is challenging for three reasons: 1.  The interconnectedness and complexity of modern computer systems favor offense over defense—you have to get 100 things right to protect a system but only one thing right to compromise it. 2.  The economic incentives are misaligned.  This is the biggest of the problems.  Investing in defense doesn’t produce a visible ROI and it’s hard to assess results.  If you buy a three-legged stool and it’s missing a leg then the problem is obvious to all stakeholders.  Assessing the security of a system can be done only by experts and it’s not objective. 3.  The threat landscaping is constantly escalating.  Recently I advised a client to perform a high-stakes transaction over a video call rather than an audio call because audio calls can be spoofed (and there have been successful high-value attacks).  A few weeks after I delivered my report to the client I had to reach out to them again and tell them I saw my first live video call spoofing attack in the wild. Back to your question of how to improve our defenses:  It depends on your threat model and I could offer specific suggestions if you tell me some details of yours, but in general: 1. Personal defense:  Choose a trustable ally for your TCB (Trusted Computing Base).  E.g., both Apple and Google spend astronomical amounts on getting security right and have deep talent pools.  As much as I like fiddling with open source, I trust those two companies to manage my TCB more than I trust myself. 2. Company defense:  It depends on the threat model of the company. 3. Societal defense:  This is a tricky one because of the economic incentives.  There are many companies that would rather pay the cost of cleaning up an attack rather than spending money to prevent it.  Unfortunately many of us suffer collateral damage if, e.g., said company is holding our personal data.  Government can play a role to identify critical infrastructure in the private sector and prod them to do the right thing but there hasn’t been a lot of success thus far.  If I were president I would split up the NSA into two separate organizations—one for offense and the other for defense.  It’s currently chartered with both missions but the majority of its focus seems to be on offense.

Reply to: The Pandemic is Only Beginning: The Long COVID Disaster Posted August 19, 2023
Reply to: The Pandemic is Only Beginning: The Long COVID Disaster Posted August 18, 2023
Reply to: The Pandemic is Only Beginning: The Long COVID Disaster Posted August 18, 2023
Reply to: The Pandemic is Only Beginning: The Long COVID Disaster Posted August 18, 2023
The Pandemic is Only Beginning: The Long COVID Disaster
17
2
Posted August 7, 2023
Reply to: News of the week 2023-07-24 Posted July 31, 2023
Reply to: News of the week 2023-07-24 Posted July 31, 2023
Reply to: News of the week 2023-07-24 Posted July 26, 2023

TikTok is buzzing about a possible new Covid surge beginning in the US. Japan is having a hard time with Covid hospitalizations right now with Okinawa being hit particularly hard.  Patrick on TikTok has been talking a lot about it in his channel and summarizes the latest news reports in this video: https://www.tiktok.com/t/ZT88SWUpF/ Japan has higher vaccination rates than the US and has been better about masking so this is concerning. There’s an uptick in the waste water monitoring in the US.  Take a look at Biobot and click on “Last 6 months”.  The inflection point is June 21. The FDA is recomending the booster coming in the fall target the XBB.1.5 variant but we live in a multi-variant world now and XBB.1.5 comprises only 1/3 of the infections in the US (see the same Biobot page under “Covid-19 Variant Trends over Time”). I’m keeping my eye on all of this. I’m also going to start digging into a report suggesting that getting a booster too soon after a Covid infection can cause harm and that it’s better to wait for an unclear period of time instead before getting another vaccine shot.  It’s possible that bloodwork post-Covid infection can help to inform a doctor about what this period of time should be.  I’d love it if someone else could do some digging on this topic too.

Reply to: News for the week of 2023-06-05 Posted June 7, 2023

I asked ChatGPT about using an N95 vs. a P100 and got a thoughtful response: N100 masks are a type of filtering facepiece respirator that, when properly fitted, are designed to filter out 99.97% of airborne particles. This is the same filtration level as a P100 mask, but like the N95 mask, the “N” in N100 stands for “Not resistant to oil.” This means that N100 masks are not intended to protect against oil-based particulates, but they can provide excellent protection against non-oil based particulates, such as those found in wildfire smoke. The effectiveness of an N100 mask, like all masks, depends on getting a proper fit on the face. Here are some factors to consider when comparing N100 masks to N95 and P100 masks: 1. Filtration Efficiency: N100 and P100 masks filter out the same percentage of particles, and both offer a higher level of filtration compared to N95 masks.2. Oil Resistance: Like N95 masks, N100 masks are not resistant to oil. This is mainly a concern in certain industrial settings, and is less relevant for protection from wildfire smoke, which primarily consists of non-oil based particles.3. Breathing Difficulty: As N100 masks filter out more particles than N95 masks, they typically offer more resistance to breathing. This resistance can make it more uncomfortable to wear for long periods of time.4. Fit: As with all masks, a proper fit is crucial for effectiveness. Because N100 masks may be larger or heavier than N95 masks, they might be more difficult to fit properly.5. Availability and Cost: N100 masks are generally less common and more expensive than N95 masks. In summary, while N100 masks can provide a higher level of filtration than N95 masks, they can also be more uncomfortable, more difficult to fit properly, and more expensive. For most people, an N95 mask will be sufficient for protection against wildfire smoke when used properly. As always, it’s important to use masks in conjunction with other protective measures, such as staying indoors and using air purifiers. And remember, masks do not protect against harmful gases that may be present in wildfire smoke.

Reply to: News for the week of 2023-06-05 Posted June 7, 2023
DYI Air Purifier for Wildfire Smoke
8
6
Posted June 7, 2023
Reply to: What *don’t* we know about online safety? Posted June 7, 2023
Reply to: News for the week of 2023-06-05 Posted June 7, 2023
Reply to: News for week of 2023-03-20 Posted March 23, 2023
Load more...
The Pandemic is Only Beginning: The Long COVID Disaster
17
2
Posted August 7, 2023
DYI Air Purifier for Wildfire Smoke
8
6
Posted June 7, 2023
Favorite source for storm warnings?
20
2
Posted January 3, 2023
Favorite brand of insulated coveralls?
5
7
Posted November 22, 2022
Reuse wet N95?
4
9
Posted September 8, 2022
Preparation for flying?
19
20
Posted July 10, 2020
Preparing for CLO induced bank failures?
27
20
Posted June 11, 2020
Guide to buying an AR-15?
69
23
Posted June 5, 2020
Reply to: DYI Air Purifier for Wildfire Smoke Posted 4 weeks ago
Reply to: News of the week 2023-07-24 Posted 3 months ago

TCB just means the parts of the system that you have no choice but to trust.  The ideal system is trustless. Yes, I mean prefer macOS over Linux.  As much as I love Linux (and used it for my main desktop OS for many years) it hasn’t kept pace with escalating threats as well as macOS has. Apple silicon appears to be one of the best hardware choices at the moment, from a security standpoint. An ex-housemate of mine got government security clearance so the NSA could brief him on how to make Gmail more secure, so yes that’s a good choice.  🙂  It won’t protect you from the NSA, of course. 2FA is important and hardware keys are the best.  I use YubiKeys.  If you buy one, buy it directly from the manufacturer instead of a reseller to avoid supply-chain attacks. Use Signal for private communication and use the safety number verification feature.  As far as we can tell, Signal is the only communication system that’s secure. I am responsible for software development and associated application security for some internal and public facing applications. … What’s a good approach for educating myself on this? Again this depends on your company’s threat model and associated defense budget.  If you have the budget, hire an external company to do a penetration test of your applications and that will probably wake you up with cold water very quickly to potential problems.  External audits of source code can also be helpful. In general, for software development:  If you haven’t already, recognize that complexity is the enemy of secure software.  Object Oriented Programming was a mistake and unnecessarily increases the complexity of software.  Adopt the Function Core/Imperative Shell model for writing software.  Adopt the principles of functional programming in your applications by composing small, pure functions.  Learn functional programming but stop before it gets into category theory because otherwise no one else will be able to read your code.  Educate your other developers to do the same. If your software is a custodian of personal data, e.g., of customers, then treat every last bit of it as a liability and aggressively winnow it down. Recognize that in the modern era every professional software developer needs have to have security skill and that skill must be updated constantly.  Read the Crypto-Gram Newsletter for keeping up-to-date with macro trends.  Find other specialized resources that are relevant to your line of work to keep educating yourself.

Reply to: DYI Air Purifier for Wildfire Smoke Posted 3 months ago
Reply to: The Pandemic is Only Beginning: The Long COVID Disaster Posted 3 months ago
Reply to: The Pandemic is Only Beginning: The Long COVID Disaster Posted 3 months ago
Reply to: News of the week 2023-07-24 Posted August 19, 2023

That’s a great question.  Cyber defense is challenging for three reasons: 1.  The interconnectedness and complexity of modern computer systems favor offense over defense—you have to get 100 things right to protect a system but only one thing right to compromise it. 2.  The economic incentives are misaligned.  This is the biggest of the problems.  Investing in defense doesn’t produce a visible ROI and it’s hard to assess results.  If you buy a three-legged stool and it’s missing a leg then the problem is obvious to all stakeholders.  Assessing the security of a system can be done only by experts and it’s not objective. 3.  The threat landscaping is constantly escalating.  Recently I advised a client to perform a high-stakes transaction over a video call rather than an audio call because audio calls can be spoofed (and there have been successful high-value attacks).  A few weeks after I delivered my report to the client I had to reach out to them again and tell them I saw my first live video call spoofing attack in the wild. Back to your question of how to improve our defenses:  It depends on your threat model and I could offer specific suggestions if you tell me some details of yours, but in general: 1. Personal defense:  Choose a trustable ally for your TCB (Trusted Computing Base).  E.g., both Apple and Google spend astronomical amounts on getting security right and have deep talent pools.  As much as I like fiddling with open source, I trust those two companies to manage my TCB more than I trust myself. 2. Company defense:  It depends on the threat model of the company. 3. Societal defense:  This is a tricky one because of the economic incentives.  There are many companies that would rather pay the cost of cleaning up an attack rather than spending money to prevent it.  Unfortunately many of us suffer collateral damage if, e.g., said company is holding our personal data.  Government can play a role to identify critical infrastructure in the private sector and prod them to do the right thing but there hasn’t been a lot of success thus far.  If I were president I would split up the NSA into two separate organizations—one for offense and the other for defense.  It’s currently chartered with both missions but the majority of its focus seems to be on offense.

Reply to: The Pandemic is Only Beginning: The Long COVID Disaster Posted August 19, 2023
Reply to: The Pandemic is Only Beginning: The Long COVID Disaster Posted August 18, 2023
Reply to: The Pandemic is Only Beginning: The Long COVID Disaster Posted August 18, 2023
Reply to: The Pandemic is Only Beginning: The Long COVID Disaster Posted August 18, 2023
Reply to: News of the week 2023-07-24 Posted July 31, 2023
Reply to: News of the week 2023-07-24 Posted July 31, 2023
Reply to: News of the week 2023-07-24 Posted July 26, 2023

TikTok is buzzing about a possible new Covid surge beginning in the US. Japan is having a hard time with Covid hospitalizations right now with Okinawa being hit particularly hard.  Patrick on TikTok has been talking a lot about it in his channel and summarizes the latest news reports in this video: https://www.tiktok.com/t/ZT88SWUpF/ Japan has higher vaccination rates than the US and has been better about masking so this is concerning. There’s an uptick in the waste water monitoring in the US.  Take a look at Biobot and click on “Last 6 months”.  The inflection point is June 21. The FDA is recomending the booster coming in the fall target the XBB.1.5 variant but we live in a multi-variant world now and XBB.1.5 comprises only 1/3 of the infections in the US (see the same Biobot page under “Covid-19 Variant Trends over Time”). I’m keeping my eye on all of this. I’m also going to start digging into a report suggesting that getting a booster too soon after a Covid infection can cause harm and that it’s better to wait for an unclear period of time instead before getting another vaccine shot.  It’s possible that bloodwork post-Covid infection can help to inform a doctor about what this period of time should be.  I’d love it if someone else could do some digging on this topic too.

Reply to: News for the week of 2023-06-05 Posted June 7, 2023

I asked ChatGPT about using an N95 vs. a P100 and got a thoughtful response: N100 masks are a type of filtering facepiece respirator that, when properly fitted, are designed to filter out 99.97% of airborne particles. This is the same filtration level as a P100 mask, but like the N95 mask, the “N” in N100 stands for “Not resistant to oil.” This means that N100 masks are not intended to protect against oil-based particulates, but they can provide excellent protection against non-oil based particulates, such as those found in wildfire smoke. The effectiveness of an N100 mask, like all masks, depends on getting a proper fit on the face. Here are some factors to consider when comparing N100 masks to N95 and P100 masks: 1. Filtration Efficiency: N100 and P100 masks filter out the same percentage of particles, and both offer a higher level of filtration compared to N95 masks.2. Oil Resistance: Like N95 masks, N100 masks are not resistant to oil. This is mainly a concern in certain industrial settings, and is less relevant for protection from wildfire smoke, which primarily consists of non-oil based particles.3. Breathing Difficulty: As N100 masks filter out more particles than N95 masks, they typically offer more resistance to breathing. This resistance can make it more uncomfortable to wear for long periods of time.4. Fit: As with all masks, a proper fit is crucial for effectiveness. Because N100 masks may be larger or heavier than N95 masks, they might be more difficult to fit properly.5. Availability and Cost: N100 masks are generally less common and more expensive than N95 masks. In summary, while N100 masks can provide a higher level of filtration than N95 masks, they can also be more uncomfortable, more difficult to fit properly, and more expensive. For most people, an N95 mask will be sufficient for protection against wildfire smoke when used properly. As always, it’s important to use masks in conjunction with other protective measures, such as staying indoors and using air purifiers. And remember, masks do not protect against harmful gases that may be present in wildfire smoke.

Reply to: News for the week of 2023-06-05 Posted June 7, 2023
Reply to: What *don’t* we know about online safety? Posted June 7, 2023
Reply to: News for the week of 2023-06-05 Posted June 7, 2023
Reply to: News for week of 2023-03-20 Posted March 23, 2023
Reply to: News for week of 2023-03-06 Posted March 18, 2023
Reply to: News for week of 2023-02-20 Posted March 2, 2023
Load more...