1/ So here's the deal: it's not always clear that our perspective is necessarily the "right" one and the NYT's is the "wrong" one. There's good reason why the NYT might reasonably disagree. But...
2/ ...but it is still a clear difference between how the NYT reports things and how the either the tech press (Wired, Ars Technica, etc.) or the rest of the mainstream press (e.g. Associated Press) reports things.
3/ The NYT prides itself on not simply giving the "facts" but telling "narratives". In other words, as the paper of record, they don't simply want others to repeat their facts, but repeat the spin they've put on stories.
4/ You see that in how the NYT claimed the EternalBlue was responsible for the Baltimore ransomware attack. It was a narrative that EternalBlue was responsible for a lot of damage, even if it wasn't factually true it was involved in Baltimore. nytimes.com/2019/05/25/us/…
5/ In other words, the story listed a lot of things where EternalBlue was involved -- so their is a narrative there even if the title and lede of the story turned out to be false (EternalBlue wasn't used in that specific ransomware).
6/ The problem with the NYtime's spin/narrative is that the rest of the facts are also debatable. For example, it misrepresents a DHS warning about Emotet, which also did not use EternalBlue as implied.
7/ Lastly, it's spin that vulns two years after a patch is available can be blamed on the "vuln" instead of "not patching". It's an op-ed, the NYTimes opinion, not "news".
8/ Now the fact that somebody blames the EternalBlue "vuln" when cybersecurity experts blame "not patching" doesn't mean the experts are right and the other side is wrong.
It's just that this is their opinion, spin, narrative -- and not "news".
9/ However, there are cases where experts should be given more deference: when explaining basic concepts. There's a constant conflict between experts claiming an explanation is "wrong" and the NYTimes claiming "no, it's simplified".
10/ But it's not simplified. The NYTimes is trying to explain things they don't understand. You can't write a simplified explanation if not you are qualified to write the complex explanation.
11/ So the explanation isn't something simplified, but something that's twisted in support of whatever narrative or spin they are trying to tell.
12/ Other press outlets are more humble. Knowing they aren't qualified to simplify a complex topic, they ask experts to help them simplify it.
13/ The NYTimes notably DOESN'T CONSULT EXPERTS, they consult ELITES. The people quoted in NYTimes stories are anonymous senior administration officials and Washington thinktanks (aka lobbyists). They rarely quote techies.
14/ Note that this is problematic ACCORDING TO THEIR OWN JOURNALISTIC STANDARDS. It's the "Washington game" where in exchange for allowing government types to push their agenda, the journalist gets access to them.
15/ It hurts us expert techies that we aren't treated as the elites we believe ourselves to be. I mean, techies are notorious for being the most stuck up bastards around, insisting you must do it our way, and cybersecurity techies are the worst of the lot.
16/ But at the same time, over the last year we've had the debate about "respecting the experts" on issues of health and masks. We live in world where the surgeon general is a physician and a chief economist an economist -- but cyberczars are never techies.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
okay ipv6 people -- am I right that SLAAC only happens when the Router Advertisement advertises a prefix of /64 (not /63, not /65) and the "autonomous address-configuration" flag is set?
I ask because I can't figure out how to get my Ubuiti EdgeRouter from getting a prefix delegation of /56 from my ISP, and then giving /64s to internal interfaces to get SLAAC working.
the "prefix ::/64" command for radvd doesn't give a /64, that string means to query the local interface, which is /56, and use that instead.
So here's the deal with Agile: everyone was (and still is, mostly) taught Anti-Agile software-engineering. Mistakes in "requirements" and "design" are costly, so we need to spend more time doing that before coding.
Agile preached the opposite. If mistakes in "requirements" and "design" are costly, then change your coding practices so that these mistakes are now cheap to fix.
A recently had to change requirements for my 'masscan' project. It was originally written with the requirement that it would always be IPv4 because scanning IPv6 address space isn't practical.
Current status: scraping library websites checking status of banned Dr. Seuss books. Here's availability for Boston library network.
The "banned" is my own annotation to the table, whether the book is that on the recent list of discontinued books. It doesn't mean the library has banned them.
Presumably, the reason availability has dropped is because people have checked them out, not because they've deliberately removed them.
Yes, they were a really valuable programmer. Yes, they got laid off. You'd think a better world that they could somehow do this more efficiently and keep the best employees, but they can't.
I wasn't in that layoff -- but wanted to be. So I called up my manager's manager and told him "I'm going on vacation, using up all my accrued time". He barely paused before telling me "...okay, I'll put you on the layoff list", which meant somebody else got pulled off the list.
1/ I need to update my list of "Most Obvious Hacks" from this blogpost a few years ago. Some recent things remind me of it. blog.erratasec.com/2017/07/top-10…
2/ Student finds out they can just edit the URL to change anybody's grade and was kicked out of classes as a result.