I was at a showing of Monty Python and the Holy Grail in a theater over the weekend. I was originally worried we’d have trouble getting tickets. Turns out there were only 10 people in the theater and half of those were in my group. What sad times we live in when there aren’t enough people saying, “Ni” in a theater.

Thank you for taking the time to distill the article. Saw that it was New York Times and assumed it was the same rehashed “THE END IS NEIGH!!11!” bullshit.

LinkedIn is basically a public resume. Using it for anything more demonstrates that you do not have a basic grasp of privacy or security. As such, there shouldn’t be anything up there which is all that bad to have leaked. Sure, if the password database gets dumped, rotate your LinkedIn password (it should already be unique, so no worries about it being reused elsewhere). And having an email address get added to every spam list everywhere kinda sucks. But, what else is the attacker going to get, my name and work history, which are already public on the site?

I mean, yes LinkedIn should be raked over the coals for shit security practices. And we really need something like the GDPR here in the US to actually do that. But, I’m also not going to get terribly worked up about my public CV being leaked. The leak is kinda redundant.

The same place they came from.

It depends on the system. Some enterprise systems have a BIOS which will survive a loss of battery power and don’t have a hardware reset process. Some Dell laptops were like this and you needed to contact Dell to do a BIOS reset. It’s been long enough that I have forgotten how that worked, but I’d assume it’s some sort of public/private key signing setup.

This is a bit over-wrought. The important question this article doesn’t deal with is: what are those FTP servers hosting? If it’s anything which should be secured, that is a problem. But, if all it is, is a public file repository, then the extra complexity of SFTP or FTPS probably isn’t worth the trouble. My current company has an FTP server which is exactly this. It hosts product documentation and is meant to be public. While they probably should have moved on and just dumped all of it in an S3 bucket with public read, the FTP server is what our customers know and have used for decades. If it ain’t broke and the security isn’t a problem, it’s not really a priority.

Please be advised that the initial setup for this first iteration of the feature is more technical than most other games and requires a computer running Microsoft Windows Pro with Hyper-V in order to run the servers in a Linux Virtual Machine (VM).

Kinda wonder if they are just distributing a Hyper-V machine image; or, if the actual requirement is that it runs on Linux and they assumed their entire userbase is Windows only and won’t be able to spin up a Linux VM on their own?

But it won’t stand still in the pot long enough for us to just melt it’s hooves.

Somewhere there is a Russian Intelligence Analysts whose primary assignment is watching prediction markets. And he’s probably providing solid intel from it.

That does seem like bad design. If it’s causing you and your team an inordinate amount of time to constantly re-login, you may want to go up your management chain and try to quantify it. e.g. in an 8 hour day, you would expect to re-login around 24 times in the day. If that takes an average of 2 minutes per login that 48 minutes per day. Across 260 days (assuming a standard work year), that’s 12,480 minutes per year or 208 hours. Multiply that by the rate it costs to keep you employed. This includes both your pay and all the costs of employment, the common rule of thumb is to multiply your hourly rate by 2. So, if you’re paid ~$50/hr then it costs ~$100/hr to keep you employed. So, 208 hours of your time is costing the company ~$20,800/yr of lost productivity. That’s a significant amount of lost productivity and that is only accounting for 2 minutes per login and not the lost time as you deal with mental context switching. It’s not a cheap cost and is not increasing security by all that much.

Is the expiration every 20 minutes, no matter what; or, is the expiration after 20 minutes of inactivity? The two have different answers. The former sounds like a misconfiguration and you may want to reach out to your IT team and ask them about it, sometimes mistakes are made and it could just be you having a strange problem. The latter is pretty common and does serve a purpose. Inactivity timers deal with the issue of people logging in, and then walking away from their system. This is common enough that solutions like inactivity timers are used. There are cases where this is a problem and they need to be disabled, but those will usually be policy exceptions and will need to be requested and documented.

If you’re getting logged out of your system every 20 minutes, that really sounds like a bug and not a security feature. Get in touch with your IT and/or security team about it.

Microsoft’s partner portal website mysteriously said his account had been deactivated, without specifying why.

My money is on Microsoft’s AI based detections causing false positives again. I spend way too much time chasing ghosts from Defender. Their machine learning based signatures are especially egregious. You get an alert with a name like “Win32/Wacatac.b!ml”. That last “ml” bit denotes that it’s machine learning based. And then you get fuck all to help you determine why the alert fired. Sure, it might actually be a trojan. More likely, it’s a false positive. But who knows, because Microsoft won’t provide enough information to perform a reasonable analysis of the binary.

And MS has been pushing CoPilot hard. It’s in everything and it’s happy to slop up answers for you. The accuracy of those answers though can be a bit spotty. I’d certainly never turn it loose on tools which can have business impact. But, I doubt Microsoft has any such reservations about letting CoPilot slop all over third party devs.

Yup. With the ease and low likelihood of being caught, piracy has become a pressure relief valve on shitty content practices. Make things too hard to get and people will recognize that setting up a VPN and torrent client aren’t all that hard. Make the experience really bad, and you’ll get dedicated people creating entire software platforms to lower that barrier to entry for piracy even further. Sure, some of those software platforms will get knocked down, but they usually result in the code being released and other folks come along and build on them.

As consolidation and enshitification rise, I expect us to see piracy rise again as well.

3 days, 3 years, who cares about units?
Obviously not Putin, he doesn’t care about Russian units at all.

Steam made it easy to buy, download and play games. So much of the competition was focused on preventing piracy to the detriment of the user experience. Steam was buy, download, and play all your games in one place with a minimum of bullshit. Then they implemented Steam Greenlight. It let some smaller studios get onto a major platform and proved out that there was a demand for those titles. They were then smart enough to realize that trying to gatekeep those studios with the “Greenlight” process was stupid and opened the flood gates.

Really, this goes back to Gabe Newell’s comments about piracy (a decade and a half ago [1]):

We think there is a fundamental misconception about piracy. Piracy is almost always a service problem and not a pricing problem,” he said. “If a pirate offers a product anywhere in the world, 24 x 7, purchasable from the convenience of your personal computer, and the legal provider says the product is region-locked, will come to your country 3 months after the US release, and can only be purchased at a brick and mortar store, then the pirate’s service is more valuable.

Steam was a real competitor to LimeWire/Kazaa/etc. The other options, at the time, were stuck in the mentality of treating their customers like pirates. And once people bought into the Steam ecosystem, getting them to buy into any other ecosystem was almost impossible. Steam’s main trick wasn’t building a community, it was building trust. Users trust Valve to not fuck them over. That’s a hard thing to create and it’s fragile. If you look at a competitor like EA’s Origin, many folks won’t even consider it. EA’s reputation of fucking customers is well established. No one wants to sink hundreds to thousands of dollars into a storefront with such an anti-user reputation.

I regularly use CoPilot to search Microsoft documentation for me. E.g. I needed to find a particular interface in Entra and couldn’t remember where it was. So, I asked CoPilot and it got me to the right spot. I’ve thought about asking it about Microsoft licensing, but I figure that might result in CoPilot becoming self aware enough to kill itself.

I also use a number of AI agents built into the cybersecurity tools I use on a daily basis. Generally stuff along the lines of “find all the cases related to this system/IP/user/etc” type queries. It’s also good for questions like “how do I tune this alert” so I don’t have to remember whatever bullshit process this vendor put together for tuning false positives. Our primary SIEM/SOAR tool has an AI which does initial triage and investigation work and it’s not terrible. It struggles with correlations for more complex events, usually highlighting events which have no bearing on the event in question. But, it often provides a good first pass and description our first line analysts can use to start a real investigation.

AI is a tool. And like a lot of tools, it has it’s benefits and limitations. The problem is we’re still figuring all those out and the people marketing these tools don’t want to admit to the limitations and they over-sell the benefits, then blame the user when those benefits don’t materialize. Given how much modern economies are based on information and knowledge, I do expect AI to have some lasting impact, but I also expect that we’ll adapt and it will just be another way of getting things done in a generation or two.

It’s the return of the Glasshole.

If you have the time, put some resumes out before accepting the first thing to come along. I don’t know how things are in Germany, but I’ve always believed it’s easier to find a job while you are still working. That said, if the new position, pay and work culture seem good, taking the position for now may be a good choice. You can always job hunt later.

As for how you conduct yourself, I’d always suggest conducting yourself in a professional manner. While you may have zero intention of coming back to this organization, you never know when you are going to run across the people you work with again. And the next time they may be in a position to help or hurt you. For example, I worked for a company really early in my career which started falling apart quickly. Towards the end of my time there, they announced they were closing the office I worked at and basically gave my department a big “fuck you”. I could have gone out causing trouble or just worked my time until I left for greener pastures. I did the latter. Years latter, I was applying for a job I really wanted and an important member of the hiring team had worked with me at the first job. Not as my boss, just someone in another department. He remembered my work and work quality and had effectively said, “yup, hire this guy”. While I have long since left that job as well, his confidence in me changed the trajectory of my career.

Maybe it’s different over there, but I’ve always heard that “it’s who you know, not what you know” that gets you hired. And I’ve run into that in my own career. You don’t want to be a pushover, but keeping professional relationships professional can pay dividends down the line. Do the job you are paid for, don’t make messes for other people and at least try to be professional in your dealings with others. You may be able to climb the ladder quickly today by being an asshole, but you never know if the fingers you step on today will be attached to the hand you will need to help you tomorrow.

A joke is a lot like a frog, it can be informative to dissect it, but the patient usually dies in the process.

IT is what you do when you are good with computers and not so much with people. You get really good at making the magic number boxes work for the MBAs and start explaining RFCs or networking protocols so that they fuck back off upstairs so you can go back to digging through log files and pcaps. It’s all just puzzle solving, reading and a crippling fear of social interactions.