Sunday, January 14, 2018

Prime - not impressed

I'm a Whole Foods junkie. Or was, depending on if you still consider it Whole Foods or if you already call it Amazon Foods. It started before Whole Foods really with family and food allergies but as my allergies got worse it has become a life saver when traveling. I knew I had a place where the staff was trained to answer questions about the ingredients and most things are very well labeled. People have said to me, "Oh we have a Wegmans" or "we have a Trader Joes" and these chains are useful in frozen dinners or raw ingredients and they do have prepared food. I have check out other local recommendations too as I have traveled but so far no one has done as well as Whole Foods in having the labeling and variety for picky (choice or allergy) eaters like me.

Sure, they have specially items, many of which are expensive and only for the privileged. And prepared food is more expensive anywhere but even fancy organic Whole Foods hot bar is less than most room service when traveling. Also, when you eat all clean food, all the time, you actually can get a lot more nutrients and that full feeling with a lot less quantity. My family has tracked the budget.

We use a lot of the 365 Brand items but mostly we cook simple meals from scratch so we have a lot of fruit and veggies.  We have a garden, we shop at the farmers market, and we supplement from the local coop and from the Whole Foods.

All this is background leading to the my skepticism with the Amazon acquisition of Whole Foods last year. While hoping that the larger buyer could make better deals in price and worrying about what it will mean for the employees (who appeared to be getting a fair wage and like working in the store so far) in the future, I also wondered (still wonder) what it will mean for me.  So far I have not been impressed. The items with lower prices have also been lower quality and the variety of products, especially in the category of more expensive but tastes great allergen friendly ones, is slowly dwindling.

Once Whole Foods + Amazon was up and running, I looked to see about getting some items delivered straight to the house. Most of the items I want are in Prime Pantry only so you have to have Prime which I didn't have it. Yet. Amazon is also beginning to offer some deals in the store too if you have Prime such as a substantial discount per pound on a Fresh Turkey at Thanksgiving.

So I was willing to check it out. I had three things to investigate with Prime - shipping in general, prime pantry, streaming videos. So I set up the free trial.

I knew that starting at the end of the holiday shopping season would have its own issues but I wanted to see how it worked in my area.  I live in a rural area with the mailbox almost a mile from house so I use a PO box in town for most mailings. I hoped that the Prime 2-day shipping would use carriers that delivered straight to the house. Unfortunately, Amazon uses a lot of USPS and if the package is small enough to fit in the box (and we have a package box out there too) it gets left way away from the house. I might as well continue with the shipping to the PO box so items are secure and dry. I rarely need something right away so waiting to order when I have enough for standard free shipping works for me.

So what about streaming videos? I found a few things not in Netflix that I might watch again but mostly they don't have anything better and I find myself back in Netflix most times. I'll take advantage of it if I have it, but I don't see any value in getting Prime solely for this feature.

Prime Pantry is interesting and if I did not live close enough for a weekly drive to an actual Whole Foods store, I might consider it. The first time I looked, they didn't have much. The next time I looked, there were enough items for me to fill a box if I needed them. I also checked and yes, the prices are exactly the same online as in the store. Then last week I decided to actually give it one try before my trial ends but 9/10 items I would get were out of stock and unknown availability.  That rules that out. I was already leaning to a no. It is $6 per box for delivery on top of the monthly (or yearly) fees for Prime. I can drive about 20 miles to either of the nearest Whole Foods for less and find more of the items on my list plus all my other groceries.

I do not live in an area of Prime same day shipping -  though I am only 25ish miles from a fulfillment center - so 2 hour or Prime Fresh deliveries are also completely out and not even on the list possibilities anytime soon. If I lived in one of those areas or had a larger family to order items for or just shopped online more, it might be worth it. But so far, for where I live and what I buy, I am not impressed.

The cancellation requires what seems like a gazillion times confirming you want to cancel as they remind you of all the benefits of staying but I finally got through it and have ended my Prime trial.

-SML


Thursday, January 11, 2018

InfoSec Basketball Rebounds

I was reading a post about red team vs blue team and all the support for purple teams and was struck with inspiration from one of the comments mentioned: 

"(offense wins games, defense wins championships)"

They do not appear to be implying basketball and given the timing of the comment, they may have been thinking more about football.  For me though, as a huge fan of Women's Basketball, I recognized it as a variation on a quote from the great Pat Summit:

"Offense sells tickets, defense wins games, rebounding wins championships."

And suddenly a hobby and work collide. My brilliant inspiration comes from how this really does apply to information security as well.

Everyone loves good offense. For some it is high flying dunk or a buzzer beater from half court. For others it is a successful, innovative attack as part of a red team. We attend "ethical hacking" courses because breaking into things is fun. Big exploits make the news and get cute little logos. Other crackers just keep working and getting two points here and there until it adds up on the scoreboard.

Defense is what is needed to win the game though. It doesn't matter how many point you put up if the other team is allowed to put up more. Can you prevent the problems in the first place? Have you done the basics of password security and patch management? Are we monitoring the logs? And even if it is done well, it might not make a stat line. Sure a couple blocks and few steals here and there but the standard box score doesn't list shot clock violations and a zone defense rarely makes the sports center top ten. The blue teams that prevent attacks from being expensive do not get badges (logos).

Shutouts are very rare and never in championship matches. Defense will not stop everything and even the best offense misses a lot of shots. Rebounds are how we react on a miss. Defensive rebounds end an opportunity for more points. The offense got a shot off, but if they miss, did you stand and watch or did you go after the ball and box out the opponent? If you are on offense and your shot bounces back, your goal is to secure the ball and try again. Attack another way, find another opening, maybe the same opening if you didn't get boxed out. With information security, are you monitoring logs, are your alerts set up correctly, are you reacting to even the missed attempt or are you just waiting and letting them take another shot? Are you boxing out?

Offense often comes down to skill and on the court, natural ability plays a big part. Defense can be taught with basic and repetitive drills. Rebounding is about heart. You don't have to be the tallest or biggest or strongest. Who wants it more? Who will go after the ball? Who can read the play and be the in correct position to respond? 

And no one wins anything without a contributions in all areas and a whole lot of teamwork.

When it comes to programming and coming up with creative attacks, I do not have the natural abilities to make a good red team member. I am much more comfortable practicing defense and jumping into position to grab a rebound.  Along with some post game analysis and armchair coaching! 

-SML

Wednesday, January 10, 2018

Watching the meltdown.

I have been watching Meltdown and Spectre unfold from the sidelines. Other than applying available updates, I'm just watching and absorbing the process of the disclosure. This one appears mid way along a long road.

I teach mostly administrators. I teach some developers. I teach those in, or desiring to be in, infosec. I like teaching security topics. I think securing systems requires more people thinking about security from the beginning of design and as an everyday, no big deal part of life. A question I ask with these newsworthy issues is what normal practices can mitigate even part of the problems?  There are two big basics - least privilege and patch management - to always keep in mind. Issues like ShellShock and Venom were mostly mitigated from the beginning with SElinux enabled (least privilege) and WannaCry had little impact on those systems patched long ago when the SMB bug was first found and fixed.

However, in some cases, both exploits and accidents come from doing something that no one else thought of trying. This is why I like open source. There is the option (not always used) for more people trying different things and finding better uses as well as potential flaws. Any type of cooperation and collaboration can be the source of some of these findings including pull requests, conference talks, or corporations working with academic research projects.

Spectra and Meltdown are not the first bug of their kind, nor the last. Anything that grabs or holds more information than is requested - such as cache or speculation - is bound to eventually grab and expose something it shouldn't. Or allow some type of injection. I gave some kudos to the team getting the credit for this discovery and got some push back from a friend defending another friend that gave a related talk at a conference in 2016. Maybe not enough credit is given to those that speculated (pun intended) on this type of problem in the past. This timeline lists several and some retweets from people I trust to be smarter than me in this topic point to ideas even older.


The Google Project Zero team is getting the recognition because of a variety of pieces in a big puzzle. Right place, right time. Privilege from the backing of a large company. Their use of the embargo and disclosure process working across the industry. A new proof of concept and published paper. Indications of ways to exploit it at scale. A mitigation. It all comes together and suddenly more than just the researchers realize the scope of the risk that has been taken. Intel is getting more than their share of the blame too when people recognize a company name faster than a general concept or part of a computer. And, yes, in some cases there is also too much fluff and fear in the reporting.

The embargo and disclosure process is pretty interesting too. I sat in a talk a couple of years ago about how a large company deals with this in the open source world and Mike Bursell has a post with thoughts about it again in reference to this case. I actually had an idea something big was coming from the combination of noise and speculation about patches being submitted and who was NOT talking about them.

We are still discovering the full impact of the CPU design decisions made. Sure, they are serious, especially as more people are able to automate attacks against the vulnerability, but they are also nothing to panic about. This is not just an Intel problem. It is a market driven quest for more power with less money and despite various risks. We are all to blame. Apply the patches, monitor the impact, invest in the next generation of inventors and inventions. In other words, business as usual.

The choices were made in favor of optimization, so will things be a little slower now? Probably for many people, but not everyone. Will we get over it? I would think so.

What will happen in the long run with the latest news? I predict many people will choose performance over security. I predict a few years from now when someone finds a scalable way to exploit one or more of the variations, people will have forgotten that they should have updated bios, firmware, and kernels today. If we are lucky, they will have the latest patches already deployed and just need to make some configuration changes. But when has luck worked out as the best security practice?

Links I have collected helping me to understand:

SANS Institute webcast.


Fedora Magazine KTPI overview.

OpenStack, What you need to know.

Project Zero technical overview.

xkcd

My favorite analogy thread - the library comparison - (more were rounded up here).






-SML

Tuesday, January 9, 2018

A cold start

Weather dominated a large part of my local world for the start of 2018.

In both the duration of the cold:

And the low temperatures (I saw -1 F at my place! Brrrrr!!!!):

Central NC doesn't usually get cold enough long enough for much running water to freeze. And yet:

The little snow we got was very pretty.


I like living far enough north that we get this once or twice a year and far enough south that we can usually wait out the melting. This one took a lot longer to melt though!

Of course, since we do not usually have this kind of weather, it also comes with all its problems. This area gets laughed at for cancelling school on a forecast, but the normal infrequency means only enough equipment for clearing emergency routes and making sure kids are not stranded at school overnight. There were school delays and cancellations from the cold that overshadowed the one day where the cancellation were more about the snow. When you rarely need them, you generally also don't have engine warmers for ALL the buses that need to be started in the mornings. And there are some long cold routes to cover as well.

I did have to get the furnace fixed but with good insulation, a space heater, and the neighbors, I easily survived 24 hours with no heat in the house.  I did fine with water but I know people with frozen well heads and pipes. The towns were also kept hopping to fix water main breaks. Ours just don't make the news like JFK Airport! I got heat back just before the snow arrived and was lucky enough to not loose power (and heat) that night when transformers blew. The picture posted was beautiful but I would have been willing to miss out on that in exchange for a quiet and warm night for all.

And now that things are beginning to thaw, we will find the next round of issues.

I have friends and family in the Boston area so I was keeping an eye on the big storm there too as well as the weather near family in NH.  We are getting an early start to the total cost of weather disasters for the year (NPR just reported on 2017).

Today is warm(ish) and sunny. A good day for an outside walk. Bring on the rest of the year!

-SML


Monday, January 1, 2018

Welcome to 2018

I'm not one for New Years Resolutions. I always have a rotating TODO list of things I want to get done such as what I posted in October. The goals all center around doing good, supporting good, aiming for more happy and less stress, and living healthy and within any budgets.

I think I saw (not sure where, possibly an NPR article) that 90% of people do not stick to New Year's Resolutions they make but people who make resolutions are 10 times more likely to make a change in their life (than those not setting a resolution). I don't think it matters when you make the resolutions - or if you call them setting goals. I think telling someone, even a diary or the vast waste of an outdated internet blog, helps a person hold themselves accountable to the goal. That is where the 10x more likely to make it happen comes from.  I have my list of projects for home and plenty of choices for work related new learning. There are items from both those lists already in motion with others keeping me accountable to my goals.

What is hard for me is the cheesy new year better health resolution stuff.  I am (or can be) good about what I eat but I have an ongoing battle with motivation to get enough movement in my life. A couple of years ago I was doing really well keeping moving. Not so much lately so it is time to get moving again. More moving should result in less weight and better breathing. I should spend more time at the barn. Swimming will continue to happen in the warmer 2/3 of the year. Anything outside in the cold is pretty much impossible at the moment. There won't be any "first day" (outdoor) efforts this year. I do not run. But I do walk and I do enjoy walking on trails (light hiking).

So the new goal for me in 2018 involves hiking and seeing new parks. I have picked three resources to help:

I have followed the The Mountains to Sea Trail project for years. I have walked several of the local sections. It will takes years, if ever, to see all the sections but adding a few more this year should be realistic. If I can get moving enough, it would be worth returning to some of the mountain trails I have not seen since I was a teenager.

The North Carolina 100-Mile Challenge is an initiative launched by North Carolina State Parks a couple of years ago. They even have a way to earn badges which usually helps (is encouraging) more than hinders (gets depressing) in terms of my motivation.

Both of those resources provide suggestions for where to explore. The final resource is publicly tracking where I have gone with my own Map.

With that extra outdoor movement, I hope I can also get back to another hobby I have recently set aside. I want to take my camera out and take more pictures. I also want to get some of my photos printed and on the walls. Someday I need to sit down and make some decisions (ug!). I need to pick which ones and what sizes and go ahead and get them printed and framed.

There. Said. Recorded. Goal Set.

If you are local to central NC and want a walking buddy, even occasionally, reach out. Or if you have room in a Garmin group for tracking steps and other activities, I would welcome an invite. I have benefited in the past from seeing that a buddy did something, anything really, in an activity tracker group, even if it is something I cannot (or am not interested) in doing.

Happy New Year!!

-SML