Sunday, January 14, 2018

Prime - not impressed

I'm a Whole Foods junkie. Or was, depending on if you still consider it Whole Foods or if you already call it Amazon Foods. It started before Whole Foods really with family and food allergies but as my allergies got worse it has become a life saver when traveling. I knew I had a place where the staff was trained to answer questions about the ingredients and most things are very well labeled. People have said to me, "Oh we have a Wegmans" or "we have a Trader Joes" and these chains are useful in frozen dinners or raw ingredients and they do have prepared food. I have check out other local recommendations too as I have traveled but so far no one has done as well as Whole Foods in having the labeling and variety for picky (choice or allergy) eaters like me.

Sure, they have specially items, many of which are expensive and only for the privileged. And prepared food is more expensive anywhere but even fancy organic Whole Foods hot bar is less than most room service when traveling. Also, when you eat all clean food, all the time, you actually can get a lot more nutrients and that full feeling with a lot less quantity. My family has tracked the budget.

We use a lot of the 365 Brand items but mostly we cook simple meals from scratch so we have a lot of fruit and veggies.  We have a garden, we shop at the farmers market, and we supplement from the local coop and from the Whole Foods.

All this is background leading to the my skepticism with the Amazon acquisition of Whole Foods last year. While hoping that the larger buyer could make better deals in price and worrying about what it will mean for the employees (who appeared to be getting a fair wage and like working in the store so far) in the future, I also wondered (still wonder) what it will mean for me.  So far I have not been impressed. The items with lower prices have also been lower quality and the variety of products, especially in the category of more expensive but tastes great allergen friendly ones, is slowly dwindling.

Once Whole Foods + Amazon was up and running, I looked to see about getting some items delivered straight to the house. Most of the items I want are in Prime Pantry only so you have to have Prime which I didn't have it. Yet. Amazon is also beginning to offer some deals in the store too if you have Prime such as a substantial discount per pound on a Fresh Turkey at Thanksgiving.

So I was willing to check it out. I had three things to investigate with Prime - shipping in general, prime pantry, streaming videos. So I set up the free trial.

I knew that starting at the end of the holiday shopping season would have its own issues but I wanted to see how it worked in my area.  I live in a rural area with the mailbox almost a mile from house so I use a PO box in town for most mailings. I hoped that the Prime 2-day shipping would use carriers that delivered straight to the house. Unfortunately, Amazon uses a lot of USPS and if the package is small enough to fit in the box (and we have a package box out there too) it gets left way away from the house. I might as well continue with the shipping to the PO box so items are secure and dry. I rarely need something right away so waiting to order when I have enough for standard free shipping works for me.

So what about streaming videos? I found a few things not in Netflix that I might watch again but mostly they don't have anything better and I find myself back in Netflix most times. I'll take advantage of it if I have it, but I don't see any value in getting Prime solely for this feature.

Prime Pantry is interesting and if I did not live close enough for a weekly drive to an actual Whole Foods store, I might consider it. The first time I looked, they didn't have much. The next time I looked, there were enough items for me to fill a box if I needed them. I also checked and yes, the prices are exactly the same online as in the store. Then last week I decided to actually give it one try before my trial ends but 9/10 items I would get were out of stock and unknown availability.  That rules that out. I was already leaning to a no. It is $6 per box for delivery on top of the monthly (or yearly) fees for Prime. I can drive about 20 miles to either of the nearest Whole Foods for less and find more of the items on my list plus all my other groceries.

I do not live in an area of Prime same day shipping -  though I am only 25ish miles from a fulfillment center - so 2 hour or Prime Fresh deliveries are also completely out and not even on the list possibilities anytime soon. If I lived in one of those areas or had a larger family to order items for or just shopped online more, it might be worth it. But so far, for where I live and what I buy, I am not impressed.

The cancellation requires what seems like a gazillion times confirming you want to cancel as they remind you of all the benefits of staying but I finally got through it and have ended my Prime trial.


Thursday, January 11, 2018

InfoSec Basketball Rebounds

I was reading a post about red team vs blue team and all the support for purple teams and was struck with inspiration from one of the comments mentioned: 

"(offense wins games, defense wins championships)"

They do not appear to be implying basketball and given the timing of the comment, they may have been thinking more about football.  For me though, as a huge fan of Women's Basketball, I recognized it as a variation on a quote from the great Pat Summit:

"Offense sells tickets, defense wins games, rebounding wins championships."

And suddenly a hobby and work collide. My brilliant inspiration comes from how this really does apply to information security as well.

Everyone loves good offense. For some it is high flying dunk or a buzzer beater from half court. For others it is a successful, innovative attack as part of a red team. We attend "ethical hacking" courses because breaking into things is fun. Big exploits make the news and get cute little logos. Other crackers just keep working and getting two points here and there until it adds up on the scoreboard.

Defense is what is needed to win the game though. It doesn't matter how many point you put up if the other team is allowed to put up more. Can you prevent the problems in the first place? Have you done the basics of password security and patch management? Are we monitoring the logs? And even if it is done well, it might not make a stat line. Sure a couple blocks and few steals here and there but the standard box score doesn't list shot clock violations and a zone defense rarely makes the sports center top ten. The blue teams that prevent attacks from being expensive do not get badges (logos).

Shutouts are very rare and never in championship matches. Defense will not stop everything and even the best offense misses a lot of shots. Rebounds are how we react on a miss. Defensive rebounds end an opportunity for more points. The offense got a shot off, but if they miss, did you stand and watch or did you go after the ball and box out the opponent? If you are on offense and your shot bounces back, your goal is to secure the ball and try again. Attack another way, find another opening, maybe the same opening if you didn't get boxed out. With information security, are you monitoring logs, are your alerts set up correctly, are you reacting to even the missed attempt or are you just waiting and letting them take another shot? Are you boxing out?

Offense often comes down to skill and on the court, natural ability plays a big part. Defense can be taught with basic and repetitive drills. Rebounding is about heart. You don't have to be the tallest or biggest or strongest. Who wants it more? Who will go after the ball? Who can read the play and be the in correct position to respond? 

And no one wins anything without a contributions in all areas and a whole lot of teamwork.

When it comes to programming and coming up with creative attacks, I do not have the natural abilities to make a good red team member. I am much more comfortable practicing defense and jumping into position to grab a rebound.  Along with some post game analysis and armchair coaching! 


Wednesday, January 10, 2018

Watching the meltdown.

I have been watching Meltdown and Spectre unfold from the sidelines. Other than applying available updates, I'm just watching and absorbing the process of the disclosure. This one appears mid way along a long road.

I teach mostly administrators. I teach some developers. I teach those in, or desiring to be in, infosec. I like teaching security topics. I think securing systems requires more people thinking about security from the beginning of design and as an everyday, no big deal part of life. A question I ask with these newsworthy issues is what normal practices can mitigate even part of the problems?  There are two big basics - least privilege and patch management - to always keep in mind. Issues like ShellShock and Venom were mostly mitigated from the beginning with SElinux enabled (least privilege) and WannaCry had little impact on those systems patched long ago when the SMB bug was first found and fixed.

However, in some cases, both exploits and accidents come from doing something that no one else thought of trying. This is why I like open source. There is the option (not always used) for more people trying different things and finding better uses as well as potential flaws. Any type of cooperation and collaboration can be the source of some of these findings including pull requests, conference talks, or corporations working with academic research projects.

Spectra and Meltdown are not the first bug of their kind, nor the last. Anything that grabs or holds more information than is requested - such as cache or speculation - is bound to eventually grab and expose something it shouldn't. Or allow some type of injection. I gave some kudos to the team getting the credit for this discovery and got some push back from a friend defending another friend that gave a related talk at a conference in 2016. Maybe not enough credit is given to those that speculated (pun intended) on this type of problem in the past. This timeline lists several and some retweets from people I trust to be smarter than me in this topic point to ideas even older.

The Google Project Zero team is getting the recognition because of a variety of pieces in a big puzzle. Right place, right time. Privilege from the backing of a large company. Their use of the embargo and disclosure process working across the industry. A new proof of concept and published paper. Indications of ways to exploit it at scale. A mitigation. It all comes together and suddenly more than just the researchers realize the scope of the risk that has been taken. Intel is getting more than their share of the blame too when people recognize a company name faster than a general concept or part of a computer. And, yes, in some cases there is also too much fluff and fear in the reporting.

The embargo and disclosure process is pretty interesting too. I sat in a talk a couple of years ago about how a large company deals with this in the open source world and Mike Bursell has a post with thoughts about it again in reference to this case. I actually had an idea something big was coming from the combination of noise and speculation about patches being submitted and who was NOT talking about them.

We are still discovering the full impact of the CPU design decisions made. Sure, they are serious, especially as more people are able to automate attacks against the vulnerability, but they are also nothing to panic about. This is not just an Intel problem. It is a market driven quest for more power with less money and despite various risks. We are all to blame. Apply the patches, monitor the impact, invest in the next generation of inventors and inventions. In other words, business as usual.

The choices were made in favor of optimization, so will things be a little slower now? Probably for many people, but not everyone. Will we get over it? I would think so.

What will happen in the long run with the latest news? I predict many people will choose performance over security. I predict a few years from now when someone finds a scalable way to exploit one or more of the variations, people will have forgotten that they should have updated bios, firmware, and kernels today. If we are lucky, they will have the latest patches already deployed and just need to make some configuration changes. But when has luck worked out as the best security practice?

Links I have collected helping me to understand:

SANS Institute webcast.

Fedora Magazine KTPI overview.

OpenStack, What you need to know.

Project Zero technical overview.


My favorite analogy thread - the library comparison - (more were rounded up here).


Tuesday, January 9, 2018

A cold start

Weather dominated a large part of my local world for the start of 2018.

In both the duration of the cold:

And the low temperatures (I saw -1 F at my place! Brrrrr!!!!):

Central NC doesn't usually get cold enough long enough for much running water to freeze. And yet:

The little snow we got was very pretty.

I like living far enough north that we get this once or twice a year and far enough south that we can usually wait out the melting. This one took a lot longer to melt though!

Of course, since we do not usually have this kind of weather, it also comes with all its problems. This area gets laughed at for cancelling school on a forecast, but the normal infrequency means only enough equipment for clearing emergency routes and making sure kids are not stranded at school overnight. There were school delays and cancellations from the cold that overshadowed the one day where the cancellation were more about the snow. When you rarely need them, you generally also don't have engine warmers for ALL the buses that need to be started in the mornings. And there are some long cold routes to cover as well.

I did have to get the furnace fixed but with good insulation, a space heater, and the neighbors, I easily survived 24 hours with no heat in the house.  I did fine with water but I know people with frozen well heads and pipes. The towns were also kept hopping to fix water main breaks. Ours just don't make the news like JFK Airport! I got heat back just before the snow arrived and was lucky enough to not loose power (and heat) that night when transformers blew. The picture posted was beautiful but I would have been willing to miss out on that in exchange for a quiet and warm night for all.

And now that things are beginning to thaw, we will find the next round of issues.

I have friends and family in the Boston area so I was keeping an eye on the big storm there too as well as the weather near family in NH.  We are getting an early start to the total cost of weather disasters for the year (NPR just reported on 2017).

Today is warm(ish) and sunny. A good day for an outside walk. Bring on the rest of the year!


Monday, January 1, 2018

Welcome to 2018

I'm not one for New Years Resolutions. I always have a rotating TODO list of things I want to get done such as what I posted in October. The goals all center around doing good, supporting good, aiming for more happy and less stress, and living healthy and within any budgets.

I think I saw (not sure where, possibly an NPR article) that 90% of people do not stick to New Year's Resolutions they make but people who make resolutions are 10 times more likely to make a change in their life (than those not setting a resolution). I don't think it matters when you make the resolutions - or if you call them setting goals. I think telling someone, even a diary or the vast waste of an outdated internet blog, helps a person hold themselves accountable to the goal. That is where the 10x more likely to make it happen comes from.  I have my list of projects for home and plenty of choices for work related new learning. There are items from both those lists already in motion with others keeping me accountable to my goals.

What is hard for me is the cheesy new year better health resolution stuff.  I am (or can be) good about what I eat but I have an ongoing battle with motivation to get enough movement in my life. A couple of years ago I was doing really well keeping moving. Not so much lately so it is time to get moving again. More moving should result in less weight and better breathing. I should spend more time at the barn. Swimming will continue to happen in the warmer 2/3 of the year. Anything outside in the cold is pretty much impossible at the moment. There won't be any "first day" (outdoor) efforts this year. I do not run. But I do walk and I do enjoy walking on trails (light hiking).

So the new goal for me in 2018 involves hiking and seeing new parks. I have picked three resources to help:

I have followed the The Mountains to Sea Trail project for years. I have walked several of the local sections. It will takes years, if ever, to see all the sections but adding a few more this year should be realistic. If I can get moving enough, it would be worth returning to some of the mountain trails I have not seen since I was a teenager.

The North Carolina 100-Mile Challenge is an initiative launched by North Carolina State Parks a couple of years ago. They even have a way to earn badges which usually helps (is encouraging) more than hinders (gets depressing) in terms of my motivation.

Both of those resources provide suggestions for where to explore. The final resource is publicly tracking where I have gone with my own Map.

With that extra outdoor movement, I hope I can also get back to another hobby I have recently set aside. I want to take my camera out and take more pictures. I also want to get some of my photos printed and on the walls. Someday I need to sit down and make some decisions (ug!). I need to pick which ones and what sizes and go ahead and get them printed and framed.

There. Said. Recorded. Goal Set.

If you are local to central NC and want a walking buddy, even occasionally, reach out. Or if you have room in a Garmin group for tracking steps and other activities, I would welcome an invite. I have benefited in the past from seeing that a buddy did something, anything really, in an activity tracker group, even if it is something I cannot (or am not interested) in doing.

Happy New Year!!


Sunday, December 31, 2017

Health Care vs Health Insurance

There is much talk about health insurance and even drug costs but so little about health care - quality or costs.

I have had individual health insurance for the last 17 years and for a few other scattered years before that. Most years I have been the insurance company dream client paying more in premiums than they paid out in coverage. One year I had a sports injury (sprain) with an ER visit. One year I had knee surgery and met my deductible but not the maximum out of pocket for the year.  This year was a bit more traumatic for me and more costly for the insurance company but because of insurance, it was limited in out of pocket expenses.

It also provided some data in terms of care and cost with and without insurance. I know that health insurance currently provides me with several things.
  • Coverage for certain preventive screenings and care as required by law.
  • A maximum out of pocket per year amount for health care costs. (and no annual or lifetime limits)
  • A reduced rate for the health care I need (and pay for myself) from in-network arrangements.
  • And as long as I keep insurance, coverage for "pre-existing" conditions requiring on going treatment (ie asthma).
Most (the exception being the variety of choice for and in the in-network provider list) of these benefits are better than the plans I had before ACA and just now (5 years later) becoming more expensive than what I had before ACA. I have said before, the ACA is not perfect. It was too complicated a project to get everything right the first time through. It needs some tweaking. But the past year's attempts to repeal and replace, along with all the calls from constituents demanding components stay around, confirm my opinion that there is more good in there than bad.

I think one topic being left out of the discussion is the cost of health care. It impacts those without insurance and it impacts the insurance companies. Even the not for profit insurance companies just trying to break even.

Many people recognize the maximum out of pocket limits. Many complain that even those limits are out of their reach especially on top of the premium costs. I wonder though, how many realize how much they save by being "in the club".  Take my annual checkup with lab work and stuff.  Most was covered by the plan. The insurance breakdown was
  • Billed: $498
  • Allowed: $255.69
  • Covered: $155.83
  • My costs: $99.86 (I had some additional "optional" labs).
Note that the original billed costs was almost twice the  "in-network" cost negotiated by the insurance company.

My ultrasound (not including the doctor review) was:
Billed: $755.00
Allowed: 275.90

This should be comparable to any xray or scan of a sports injury by an otherwise healthy person who thinks they do not need health insurance.  Without the insurance they would be paying 3x as much plus the costs of the ER visit and a Doctor review and exam. I just gained back a month (or more) of my premiums with the savings negotiated for that procedure.

Then there is the hospital bill for my surgery (not including the surgeon or the anesthesiologist)
Billed: $22,814.89
Allowed: $7,469.49

So really, the hospital can do the surgery for 1/3 the price? Does this qualify as price gauging the uninsured?Or is it a "discount everyone gets" so even a government employee is allowed to be billed the lower amount?

Government talks about drug costs being out of control but they rarely talk about hospital costs and equipment costs. A lot of the equipment costs, like drug costs, are related to FDA regulation, certification, and testing. I suspect there is room for improvement in the efficiency of those procedures. Meanwhile, the costs are set mostly by for-profit companies. Who can retain the best doctors? Can you pay the registered nurses enough to make the doctors look even better? How do we meet the requirements for sterile environments or obtain the most accurate diagnostic equipment? And for the hospitals, who covers the cost of the uninsured who default on payments? Rural areas may have only one hospital and no competition (which can both help and hurt).

Remember when buying a car was about who could haggle the best? There is a suggested retail price and a dealer price (which varied by dealer) and the consumer had to figure out how to find the best deal somewhere in between but few had the "dealer price" available when negotiating. Now it is pretty easy to find out the what others are paying and the negotiation window is smaller. In health care costs, the consumer does not even get to option to negotiate a price between the "billed" and "allowed" that I see on my insurance statements. We have to pick an insurance company (if we get a choice) and hope they are negotiating well with the pool of money they collect from premiums.

With so many private businesses and so little transparency, how can anyone find out these costs before a treatment? How can they shop around for the best combination of care and cost? It is only with the statements from my insurance company that I see these numbers and the huge difference in costs for the uninsured vs those privileged to have insurance. So people look at what they can see. The cost of the premiums and the amount they need to find if they have to pay up to the deductible or maximum out of pocket.

I'm not sold on single payer but I do wonder if letting private industry set the prices is still the best thing. If there were more companies (both providers and insurance companies) competing maybe it would still work. Medicare has some history of red tape, abuse of entitlements, and wasteful spending but overall and recently it is one of the best run insurance companies out there.  Unless government gets involved in more than just the insurance aspect, there is still a battle between the private business elements of health care (providers and equipment companies) and making sure essential needs are available for all humans (especially the children). Is there another option that hasn't been found yet? Will a better understanding (by consumer, business, and government) of the health care costs help find those options?
I have more questions than answers.
I will not, however, be taking advantage of the dropped "mandate penalty".
I will keep health insurance. It is worth the premiums to avoid the financial risk while stressed about ones own health.


Saturday, December 30, 2017

How was 2017? (my personal view)

As the year winds down there is a flurry of "how was your year" posts. Some point to a blog post. Some ramble in the new expanded twitter. Some are probably on Facebook and I'll never know (I am not!). There are all types: the average, the "hated it" but hope for a better next year, the "wow I did that!", and everything in between.

My favorite has been a very upbeat twitter thread:

I stayed out of that thread. The work related accomplishments were good but business as usual and for the personal side I fall more in the started ugly but got better as the year went on category. My personal year in review also makes a solid case for having health insurance and access to great health care (and those are two different things despite what DC and the news might make one think!)

Sidebar: I am a fan of women's basketball and have been since growing up in eastern TN. I was a band geek supporting players who went on (eventually) to the WNBA. While working on my master's degree I found a new team to love. I even had the opportunity to represent SILS as an honorary coach for a game and am now a dedicated season ticket holder. I spent a year taking photos and maintaining the web page and weekly newsletter of the fan club, Team Tempo. I ended up the 2010 volunteer of the year for that fun.

I finished last year reading Coach Hatchell's book Fight! Fight!: Discovering Your Inner Strength When Blindsided by Life. about her winning fight against cancer.  It was inspiring and my health struggles are (still) nothing in comparison. They center mostly around not enough exercise and too much stress eating and social drinking. I had just buried one feline companion and was nursing the other through old age ailments but I still had that Jan motivation to do better this year.

And then...

Feb: (at Dr annual visit...) "it is probably nothing... lets get an ultrasound"
Mar: "Its still probably nothing. 90% are benign but lets get a biopsy"
Apr: (while at the vet) "Suspicious" "surgeon" "Cancer Center" "appointment" blah blah blur.

Somewhere between scheduling the biopsy and the results I was at the Hatchell Radio Show and had her sign my copy of her book. I couldn't help wondering how she really felt hearing those words. I was still at the probably nothing stage and my head was buzzing.

The other really interesting thing that I did not completely realize until after the surgery... for the last couple of months, my cat had been annoying me with her paw pressing on my throat. It was uncomfortable. I would move her, she would return to that spot. She stopped the day I had the biopsy. And after the surgery (and enough healing) when I realized swallowing was easier, I also realized that the paw there had hurt because of the nodule.  She knew? I believe.

In May things got MUCH better.
The surgery went well from the surgeon's view. Everything was benign. I still have the other half of my thyroid. So far it is working well enough I don't even need any drugs to help it work right.

It took me a while to get over the anesthesia (I don't react well to chemicals) and for my body to adjust to half a thyroid. At least it was summer so I was able to stay warm. I slept through a lot of it.

I own the company I work for, so of course my company was supportive. But so were my clients. The part time gig I was working on just got stretched out a bit more. Shorter weeks and more of them but less gaps away teaching. I had to cancel one teaching week and hold off scheduling some others but once I knew I was good, we worked out the scheduling. The year ended up being one of the best for my company.

The year also ends upbeat for a friend of the family also being declared cancer free (after chemo and surgery). She must have told Mom around the time I was having the biopsy. Mom didn't tell me until after the surgery.

So my accomplishments?
- surviving (medically)
- surviving (financially)
- remembering what is important: in life, in work, in friends, in family, in faith.

Overall, and despite the empty house and current pain from cold induced asthma, I am ending the year more calm than I ever remember. And more content with myself and my life.

-SML (Go Heels!)