This scene with the monkey arm in Silicon Valley is uncannily precedent. I can't believe no one has mentioned this yet:

https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fyoutu.be%2F1KaWPYOLuT8

Talk to me about IOPS -- Input/Output operations Per Second -- or don't pretend you're talking to me about performance.

Not saying this isn't actually really exciting, but that's the metric in at least 90% of use cases.

World's largest *unclassified* tunnel boring machine.

Some industries do make it a standard to disable firewalls on everything except perimeter devices. Networking talent is rare in these industries so it makes a certain amount of economic sense. You might be surprised to hear that SCADA and industrial control are one of the industries where this is common.

It's not totally crazy, either. If you know that if anything were to ever get on your internal network, you're going to be more diligent than usual about letting things on it. If you put all your eggs in the perimeter firewall basket and it's pretty good, then what's the problem?

Well, here's a big difference: the guy running your water plant is way different than the minimum wage guy you have running the till. The cashier has more incentive to attack the system, especially if he can get away with running a skimmer without getting caught. But the cashier has physical access to the system for several hours per day! What's the firewall going to do to stop him? He can just reboot the machine into an OS he controls, then turn off the firewall by writing to the disk directly.

There's another more important problem: if SQL Server Express is involved then I'll bet the PoS app is doing cleartext database writes, which might include credit card transactions in the future. If that's the case, the firewall has to be configured to allow these writes in cleartext. Mr. skimmer guy just needs to put a tap inline with the register's network port to get all this data, firewall or not. The app is the problem here.

Security is a people problem. Think about your staff and your vendors and choose them wisely. Until that's done pontificating about firewall best practices probably shouldn't be your first priority.

My sense is that the MEAN Stack (Mongo, Express, AngularJS, Node) is sort of winning. There's some packaging of it over at mean.io.

Personally, I'm really getting interested in Meteor (www.meteor.com). Watch the videos, and realize I saw a smart non-coder go from zero to *ridiculously* interactive site design in three months.

No really.

I took a pass at Python 3 a while back. The amount of hoops I needed to jump through, to deal with compilation errors around Unicode handling, was terrifying. It was simply a poor user experience.

Python 2.7 just works. Sure, it's a nightmare past a certain scale point. But until you get into the dregs of OO it really is executable pseudocode.

Python 3 is some other language that lost that property.

The big problem is that we don't ship languages with telemetry that reports when they fail to work. So things that are completely obvious to outsiders never make it to inner circles. Not that I can really see any way for Python 3 to mend its errors.

Seriously. Write some code, publish it on Github. Spin up a single serving web page, does one interesting thing as soon as you arrive. Remember, everyone else with resumes could be pretending, you're actually doing stuff.

For work experience, sign up on freelancing sites like odesk. Take jobs just to do them. Nobody knows how old you are, there. Even if all you can do is sysadmin -- well, admin some cloud services!

I'm not seeing any data on what portion of those keys with bad moduli were actually attached to valid certificates.

It's damn fine survey work, but the conclusions are just strange. More detail here:

<a href="http://dankaminsky.com/ronwhit">Survey is good. Thesis is strange.</a>

http://arstechnica.com/apple/news/2012/01/82-percent-of-atts-q4-2011-sales-are-smartphones-66-percent-are-iphones.ars

Yeah. 66% of AT&T's 4th quarter sales were iPhones. I was on Verizon for years, switched to AT&T only for their iPhone, and stuck with them only for their GSM capabilities worldwide. Sure, your margins are less when you offer a better service. Would you prefer no sales though?

The platform that most successfully upgraded itself was the NES. One of the degrees of freedom they had, because there were chips in each cartridge, was to deploy new memory management units inside the games themselves. Quite literally, the NES became more powerful for games released later in its dev cycle. SNES did this too, with the SuperFX chip inside of Starfox (the most popular DSP in the world, for its era) but it wasn't quite the "all games ship upgrading hardware".

I suspect if there was ever to be upgradable hardware, it'd have to work by yearly subscription, and it'd have to be no more than $50 a year for the part. However, with guaranteed sales in the millions of units (as games would hard-require it) the logistics of making some pretty crazy stuff fit into $50/yr wouldn't be unimaginable. Remember that XBox Live is already pulling, what, $60/yr?

You realize this is completely unscientific garbage, right? None of http://www.fwi.co.uk/Articles/25/01/2011/125212/Handle-with-care.htm makes sense outside of a conscious entity.

Powershell. The only tool that knows how to talk to all the different frameworks in Windows is Powershell. No other tool can talk to .NET, COM, WMI, native APIs (via P/Invoke), and external stdio based tools. If you can't do the automation you want using something in one of the above frameworks, you've got bigger problems than finding a good automation tool.

Since the test guy usually has to be a part time sysadmin too, you should be aware of these tools:

System update readiness tool: http://support.microsoft.com/kb/947821/en-us
WMI diagnostic utility: http://www.microsoft.com/downloads/en/details.aspx?familyid=d7ba3cd6-18d1-4d05-b11e-4c64192ae97d&displaylang=en
gplogview: http://www.microsoft.com/downloads/en/confirmation.aspx?familyId=BCFB1955-CA1D-4F00-9CFF-6F541BAD4563
Windows SDK (including debugging tools for windows): http://www.microsoft.com/downloads/en/details.aspx?FamilyID=35AEDA01-421D-4BA5-B44B-543DC8C33A20
ollydbg: http://www.ollydbg.de/
sysinternals suite: http://technet.microsoft.com/en-us/sysinternals/bb842062
Windows Management Framework: http://support.microsoft.com/kb/968929
WDK: http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff
WAIK: http://www.microsoft.com/downloads/en/details.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en
Windows 7 SP1 WAIK supplement: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0AEE2B4B-494B-4ADC-B174-33BC62F02C5D

If XP is involved, check out Windows SteadyState. It's like deepfreeze, if you've ever used that. qemu is also a great way to boot test machines and capture output at scale; using CoW disks you can have fresh machines every time you boot regardless if the test machines are XP or not.

Applications will never, ever tell you anything bad about DNSSEC.

They might tell you a TLS validation failed, but that an IP was good or bad? No.

We can do this incrementally, mostly because we're just *not* securing most things right now. So the conversion cost is lower than you'd think.

DNSSEC is an infrastructure shift, and you can't use it on .com domains for another few months. Have some patience.

At Black Hat this year, I actually demonstrated the endgame. Want federated authentication in OpenSSH that actually scales? Want servers able to autogenerate TLS keys that will be recognized and secured worldwide, even against broken certificate authorities?

Want secure email, without the mess that is PGP key management?

End to end secure key management via DNSSEC makes it all actually really easy. Code is here -- BSD licensed, feel free to play:

http://dankaminsky.com/phreebird

Also, I'm putting together a set of diaries on the subject:

http://dankaminsky.com/2010/12/13/dnssec-ch1/

Enjoy!