The Flag's a Plus

People who work in security, particularly in computer security, get a bad reputation for paranoia and for always saying no. Some of those reasons are deserved, and some aren't. Security people tend to be more aware than most of the people around them of the potential consequences of omitting some security controls. They also tend to be more aware of how often security problems cause bigger problems like lost money, lost customer information, etc. But, the accusations against security people are also often true. Security people do have a paranoid streak. Sometimes, they get so caught up in what could go wrong that they neglect the advantages if things go right. "This could cost us a million dollars!" is a concern, but if it's something that will make billions of dollars, that might just be okay. To deal with this conflict, most organizations have come to rely on some sort of threat modeling. I've talked about it before, but in a nutshell, you think about way

So, the US Congress is talking about taxes again, and as always, everybody's trying to cut taxes for their donors without pissing off everyone else too much. I was curious about the effects on the bottom line of a tax increase, so I went looking for some data. I should be clear here. I'm not an expert in any of the relevant subjects: economics, statistics, policy, etc. I just wanted to understand what it means when they talk about cutting taxes for one group by a few percent. How much does that affect everyone else. We know that poor people don't have money to spare. Rich people do. On the other hand, there are a lot more poor people than there are rich people. Put another way, 1% of Bill Gates' income could pay off a lot of debt, but there's only one of him. 1% of an ordinary person's income wouldn't pay off much debt, but there are lots more normal people. So, how does it balance out? I found this really useful Wikipedia link showing the number of

I'm publishing this as an unfinished draft because it came up in conversation. Hopefully, I'll go back and rework this later. If you're not a technical person, just skip this one. In technology circles, there's been a lot of talk about encryption lately. It's regarded as A Good Thing. If you take away one thing from this post, it's that encrypting your data is almost always a good idea. And, if you're not a technical person, you can just shorten that to "Always Encrypt". But, for the techncal people, there are edge cases. There are always @#$!@% edge cases. There are two primary reasons to encrypt: privacy and verification. Unfortunately, when it comes to TLS, they're mixed together. Verification is always a good thing, but there are times when the privacy is either unnecessary or actively harmful. For example: Waste. If you're downloading a public file, and you have another way to verify it, then encryption is just wasted memo

I've had a Gmail account since they were introduced. I have an easy to remember account name, and Gmail includes a lot of nice features like checking other accounts via POP3, mail forwarding, and mail filters. They also have the best spam filter I've been able to find. As a result, a few years ago, I started sending all of my email through Gmail just to deal with the spam. To their credit, Google offers really great security for Google accounts. They came out with Google Authenticator a while ago, and they support U2F and other common two-factor authentication. They make it easy to see which applications have access to different parts of your google account and what bits of data have been accessed. It's all well thought out and quite secure. Except... Google makes Android available to anyone. The core portion is Open Source, and they license a lot of the add-ons under a pretty open license. As a result, lots of companies make Android devices. Unfortunately, those compa

There's no real pattern here. Just a few ideas for new websites that have been rolling around in my head. 1. Website idea: Central, shared contact information. I'd like to have a place where I can post my name, address, website, social media accounts (and a way to indicate whether I'm a regular user or I have an account but never use it), etc. for friends. Then, I'd like to show a slightly different profile to family. A third profile for prospective employers. Maybe a fourth or fifth for different clubs or hobbies that I participate in. Ideally, friends and family would create their own profiles, and they'd be able to subscribe to updates from mine. If I move or get a new phone number, I could update it there, and all of the right people would see it or be notified. 2. A "verifying" link shortening service. There are a bunch of services out there like https://tinyurl.com/ or https://is.gd/ . I'd like to see one that rates the honesty of the article

Last night, yet again, America saw a terrible gun tragedy. This keeps happening, and we keep doing nothing. A few shootings ago (and isn't it terrible that this happens often enough to make that a valid unit of measure), John Scalzi wrote something in his blog that covered most of what I want to say, and he said it better than I can. However, there's another side to this and to so many other social and political issues that's been bothering me a lot lately: We're talking about the wrong things. So, here's my prediction on how the next few days of the news cycle will go: Lots of tentative finger pointing. "I'll bet that the shooter was a member of a race/religion/political party that I don't like!" As details unfold, a whole lot of "I told you so" from whoever was right in that random guessing game. Some knee-jerk reactions about "what we need to do". OBVIOUSLY, we need to either stop selling guns or buy more of them an