Brian Beach has moved @bwbeach@qoto.org

People interested in Mark Kelly as a VP pick will get a kick out of this old NASA mission poster https://upload.wikimedia.org/wikipedia/commons/8/8d/NASA_STS-134_Official_Mission_Poster.jpg

@tayfonay
Fight mode > flight mode.
Yes!

I joined The League of Women Voters yesterday. This weekend I’m attending a Democrats of Harris County campaign kick off event to see where there are places I can help.

And if there are none, my wife and I have decided any money we can spare will go toward Dem campaigns. One we’re looking at is how close we could be to finally ousting that cowardly, piece o’ shit Ted Cruz who ran to Cancun when Texas fell into that deep freeze a few years ago.

This is an incredible story and had I been born in a different generation might have been my story as an academic. I'm so grateful to the women that came before me in academia, allowing me to be able to have both a family and my academic career. Congratulations Dr Fowler, so very overdue and so very well deserved. https://www.theguardian.com/science/article/2024/jul/22/physicist-rosemary-fowler-honoured-doctorate-75-years-after-discovery

I would very much like a week of precedented times please.

I'd love a boring, uneventful time.

I wish people would be kind to each other, and stop othering people who seem unusual to them.

I wish people were more curious about others and less fearful.

I wish that money didn't equal power

I wish people cared about the world around them, and held it in common. Even with those they didn't know personally.

(Note: by people I mean those who we see widely represented in the media)

Amazon is (slowly, over the last 8 years) doing this thing where I signed up for Prime for the benefits of the base service, and then they started adding all these side benefits to Prime I didn't think at first I wanted like access to the video service or Twitch perks, and then they withdrew these benefits and are like ok now it's a surcharge, and I think they were expecting me to go "well now I've come to expect these things so I'll pay extra for them" but instead it just makes me pissed off

Hey, so before you criticize a female candidate because you “don’t like her laugh”…

Don’t.

Who had the "failure of a CrowdStrike update" (or something like) in their threat model? And if you did, was it categorized as low likelihood and high impact? How many other things do we categorized that way? It might be time to take another look at those items we consider "low likelihood." And if the impact is high or critical, maybe dig a little deeper. Are you ready?

#infosec
#cybersecurity
#threatmodel
#risk
#CrowdStrike

AAARRRGGGHHHHHHHHHH!!!!!!!!

Channel 4 News, in talking about today's #Microsoft #CrowdStrike fuckup, stated that Y2K was imaginary.

No! No! NO!

We did a massive amount of work to update and ensure systems would keep on working. And more importantly WE TESTED EVERYTHING FULLY BEFORE GOING LIVE.

Context- someone on the birdside are blaming #crowdstrike on DEI hiring

Here’s the thing folks. I’ve been coding 32 years. When something like this happens it’s an organizational failure. Yes, some human wrote a bad line. Someone can “git blame” and point to a human and it’s awful. But it’s the testing, the Cl/CD, the A/B testing, the metered rollouts, an oh shit button to roll it back, the code coverage, the static analysis tools, the code reviews, the organizational health, and on and on 1/3

A lot of people think I'm being sarcastic here, which is fair because I only went toe-to-toe against people on Twitter and didn't do much here, so I'll state my full opinion below anyhow:

I would agree with anyone about not wanting to replace C (or C++). But, C has been alive for 50 years (or just 35 from C89) and Rust has been alive for just barely under 10 (since Rust 1.0). Even if you measure the last 10 years of Rust versus the last 10 years of C or C++, one of these languages is making leaps and bounds ahead in providing people better primitives to do good work.

SafeInt secured pretty much all of Microsoft Office from some of the hardest bugs back in, around, 2005. C++ still lacks safe integer primitives; C only just got 3 functions to do overflow-checked math in C23, after David Svoboda campaigned for years. Rust just... has them baked into the standard library, for all the types you care about, too.

Similarly, people have been having memory issues in C and C++ for a while too. Most of the way to get better has been clamping down on static analysis and doing more testing, but we're still getting these errors. Meanwhile, teams writing Rust have been making way less errors on this in all the openly-published data from corporations like Google, and privately we are hearing a lot more about people taking complex financial and parsing code and turning it into Rust and having a fraction of the issues.

Even if I want to see C doing better, I have to acknowledge we were (a) too slow and not brave enough to do the things that could fix these portions of the language; (b) have fundamental design issues in the language itself that make ownership impossible to integrate as part of the language without breaking a ton of code; (c) do not provide good in-language tools and keep depending on vendors to "do the right thing" (i.e. adding or expanding U.B. and then just saying "vendors will check it" rather than taking responsibility with our language design); (d) are moving monumentally too slow to address the needs of the industry that many people -- especially security people -- have been yelling about since the mid 90s.

As much as I just want to pretend that I can write off every developer with "haha lole skill issue test better sanitize better IDIOT", if the root cause on this bug is "there was some C and/or C++ code that looked nominally correct but did batshit insanity in production", we absolutely will have problems to answer for. This doesn't absolve CrowdStrike for cutting 100s of workers and playing fast and loose, this doesn't excuse the fact that hospitals went down and people likely dead from lack of access to care, this doesn't change that it's abhorrent to have unmitigated hardware access in Ring0 just for a "security product", which has been the trend of every app wanting to plug in its own RootKit-like tool just for the sake of "app security" lately (League, NProtect, School Exam Spyware, etc.). There's a LOT of levels of "what the fuck have we let happen?" in play here, but I don't control those other levels.

I'm responsible for C, so I'm gonna look at the C bit. Other people responsible for the other parts of this stack should, hopefully, take sincere responsibility for those parts. (I doubt it, though, lmao.)

Concerning CrowdStrike:

We are now at t+26h. Please compare how much we knew about the xz-attack after less than a day with what we know about the chain of events of giant outage yesterday.

If something similar had been caused by an OSS component, we would see congress discussing a ban on open software in critical infrastructure already.

“We live in capitalism. Its power seems inescapable. So did the divine right of kings. Any human power can be resisted and changed by human beings. Resistance and change often begin in art. Very often in our art, the art of words.” Ursula le Guin was always ahead of the curve.
#leGuin

Any sufficiently bad software update is indistinguishable from a cyberattack…

I've been doing a little reading on Gladys West. If you aren't sure who that is:

Gladys Mae West is an American mathematician known for her contributions to the mathematical modeling of the shape of the Earth, and her work on the development of the satellite geodesy models that were eventually incorporated into the Global Positioning System (GPS).

She's uhhh...kind of a big deal. Anyway, this little tidbit I read was fascinating to me, because it tells you how important accessibility is:

Before being hired, West initially turned down the job due to its location and the requirement to interview. West did not have a car and could not find Dahlgren on a map, and she believed that they would reject her after the interview because of her race.

Meanwhile, NYT is running with strongman stuff and how fortunate Trump is. It’s not subtle.

The RNC has been the most racist/hate-filled convention of my lifetime and I watched quite a few in history class from before I was born. Most of the media are fawning over this horror show, and don’t even realize they are the “them” these maniacs are speaking of with their signs and slogans or think they’ll be safe from the regime.

1/2

The CrowdStrike fix must be deployed manually on a per-machine basis.

Hugops to, well, everyone.

https://www.wired.com/story/microsoft-windows-outage-crowdstrike-global-it-probems/

But it just doesn't make any sense they said; it's a useless old relic they said; you should simply switch to our centrally-managed solution fully protected by CrowdStrike they said

quick question what part organizing the world’s information and make it universally accessible and useful is this

https://developers.googleblog.com/en/google-url-shortener-links-will-no-longer-be-available/