Hell yeah.
18 December 2019
11 December 2019
Hennessy Strong as Fuck
I like this song. Guy has a good ear for melody and a deft touch with lyrics. Not for nothing, but this kid died last week at 21. The drugs, they feel good sometimes, but they can also kill you.
I need to go home.
I need to go home.
25 November 2019
What Happens When Your Browser Connects to A Website?
I was asked to create a writeup of what happens when your browser connects to cnn.com. You can find writeups for this in other places (it's a common interview question), but the summaries I found were either out of date, because they did not include a summary of perfect forward secrecy during the TLS handshake, or incomplete. The out of date issue is a problem, because TLS v1.3 mandates Diffie-Hellman encryption and PFS. (See my previous post about perfect forward secrecy for more information on how that works).
There is other useful information here, such as what layer of the OSI model is being used by switches (Layer 2) and what is being used by routers (Layer 3). Switches move traffic within networks, and routers move traffic between networks.
Anyway, here is the assignment, and my response:
Send a detailed walkthrough of what happens when you go to cnn.com, and it is a multi-factored website. Which means that the information that is coming from Cnn.com is not coming just from cnn.com.
1 - Open browser, type cnn.com
2 - Browser calls the DNS resolver to check the local /hosts file and (if no IP address is found) to check the cache for a DNS record to find the corresponding IP address of cnn.com. The caches are checked in the following order:
Browser cache
OS cache
DNS cache
ISP cache
3 - If no IP address for cnn.com is found in the cache, the ISP DNS server initiates a DNS query to find the address of the server that hosts cnn.com.
If the DNS server is on the same subnet as my local machine then the network library follows the Address Resolution Protocol (ARP) for the DNS server. If the DNS server is on the is on a different subnet than my local machine then the network library follows the ARP process for the Default Gateway IP.
To send the ARP broadcast the network stack library needs the target IP address to look up, as well as the MAC address of the interface it will use to send out the ARP broadcast.
The ARP cache is checked for an ARP entry for the target IP. If the entry is cached then the library returns a value that the target IP is equal to the MAC address.
If the entry is not in the ARP cache:
The Client looks up the routing table to see if the target IP address is on any of the subnets on the local route table. If so, the library uses the interface associated with that subnet. If not, the library uses the interface that has the subnet of our default gateway.
The Client Looks up the MAC address of the selected network interface.
The Client Network library sends a Layer 2 (data link layer) ARP request. The request includes the Sender MAC address, Sender IP address, Target MAC address, and Target IP address.
ARP request:
Sender MAC: client:mac:address:here
Sender IP: client.ip.goes.here
Target MAC: FF:FF:FF:FF:FF:FF (Broadcast)
Target IP: target.ip.goes.here
Next step depends on the hardware between the computer sending the ARP request and the router.
Directly connected to router: Router responds with ARP reply
Sender MAC: server:mac:address:here
Sender IP: server.ip.goes.here
Target MAC: client:mac:address:here
Target IP: client.ip.goes.here
The network library now has the IP address of the DNS server or the default gateway and it can send a UPP request to the DNS server for the IP address. If the local ISP/DNS does not have it, it starts a recursive search across the list of DNS servers until an answer is returned.
4 - IP address found, the browser initiates a TCP connection with the Server, likely using the default port 80 (HTTP) or port 443 (HTTPS).
The request from the browser is passed to the Transport layer (Layer 4) to create a TCP Segment. The Transport Layer adds (encapsulates) a TCP header, which includes the source port and destination port, and creates a Segment.
The Transport Segment is then sent to the Network layer (Layer 3), which wraps another IP header to create a packet. The IP header includes the IP address of the current machine and the IP address of the destination server (i.e. the IP address for cnn.com, in our example).
The Packet is sent to the Data Link layer (Layer 2), where the encapsulation adds the Ethernet header to create a Frame. The Ethernet header (or Frame header) includes the MAC address of my local machine and the MAC address of the local router.
At this stage the message/segment/packet/frame is ready to be transmitted. To summarize, it includes:
Packet will pass through the wire on some combination of Ethernet / WiFi / Cellular Data Network
Eventually the packet will reach the router managing the local subnet. From there it travels across the autonomous system’s border routers, other autonomous systems, and finally to the destination server. Each router along the way extracts the destination address from the IP header and routes it to the appropriate next hop. The time to live field (TTL) is decremented by one for each router that it passes. Packet will be dropped if the TTL field reaches zero or if the router has no space in its queue.
When the message reaches the server it is de-encapsulated: the Frame header is stripped by the Data Link layer, then the IP header is stripped by the Network layer, and then the TCP header is stripped and used to identify the destination port on the server. (Likely 443, if we connect to cnn via HTTPS.)
When the message is received we can establish a connection via a TCP/IP three way handshake, where the Client and Server exchange SYN (synchronize) and ACK (acknowledge) messages to establish a connection.
Step 1/3: Client sends a SYN packet to server asking if open for new connections
2/3: If the server has open ports that can accept and initiate new connections, it will respond with ACKnowledgement of the SYN packet with a SYN/ACK packet
3/3: Client receives SYN/ACK from server and acknowledges with ACK packet, and the connection is established.
Connection established, we can now execute the TLS handshake:
5 - Once the TLS handshake is complete my browser can send a HTTPS GET request to transfer data from cnn.com. The request contains additional information like browser identification (User-Agent header) and requests it will accept (Accept header), and connection headers to keep the TCP connection alive for future requests. It will also pass info from cookies that my browser has stored for this domain.
6 - Server receives the request and passes it to a handler to read and generate a response. The handler reads the request, the headers, the cookies, updates any information on the server as needed and assembles a response in the format specified by my request. The server sends an HTTP response with the form:
200 OK
Headers for:
Content-Encoding
Cache-Control
Cookies to set
Privacy information
(single empty line)
If the HTTP headers sent by the Client include enough information to determine that the version of the file is unchanged since the last visit then it sends a 304 Not Modified response and no payload, and the Client Web browser retrieves the HTML from its cache.
After parsing the HTML the Client and Server repeat this process for every resource (CSS, image, etc.) referenced by the HTML page.
7 - My browser displays the HTML content.
There is other useful information here, such as what layer of the OSI model is being used by switches (Layer 2) and what is being used by routers (Layer 3). Switches move traffic within networks, and routers move traffic between networks.
Anyway, here is the assignment, and my response:
Send a detailed walkthrough of what happens when you go to cnn.com, and it is a multi-factored website. Which means that the information that is coming from Cnn.com is not coming just from cnn.com.
1 - Open browser, type cnn.com
2 - Browser calls the DNS resolver to check the local /hosts file and (if no IP address is found) to check the cache for a DNS record to find the corresponding IP address of cnn.com. The caches are checked in the following order:
Browser cache
OS cache
DNS cache
ISP cache
3 - If no IP address for cnn.com is found in the cache, the ISP DNS server initiates a DNS query to find the address of the server that hosts cnn.com.
If the DNS server is on the same subnet as my local machine then the network library follows the Address Resolution Protocol (ARP) for the DNS server. If the DNS server is on the is on a different subnet than my local machine then the network library follows the ARP process for the Default Gateway IP.
To send the ARP broadcast the network stack library needs the target IP address to look up, as well as the MAC address of the interface it will use to send out the ARP broadcast.
The ARP cache is checked for an ARP entry for the target IP. If the entry is cached then the library returns a value that the target IP is equal to the MAC address.
If the entry is not in the ARP cache:
The Client looks up the routing table to see if the target IP address is on any of the subnets on the local route table. If so, the library uses the interface associated with that subnet. If not, the library uses the interface that has the subnet of our default gateway.
The Client Looks up the MAC address of the selected network interface.
The Client Network library sends a Layer 2 (data link layer) ARP request. The request includes the Sender MAC address, Sender IP address, Target MAC address, and Target IP address.
ARP request:
Sender MAC: client:mac:address:here
Sender IP: client.ip.goes.here
Target MAC: FF:FF:FF:FF:FF:FF (Broadcast)
Target IP: target.ip.goes.here
Next step depends on the hardware between the computer sending the ARP request and the router.
Directly connected to router: Router responds with ARP reply
- Hub: Hub will broadcast ARP request out all the other ports. If router connected on same ‘wire’, it will respond with an ARP reply
- Switch: Switch will check local CAM/MAC table to see which port has the MAC address we went. If no entry it will rebroadcast the ARP request to all other ports. If switch has an entry in the MAC/CAM table it will send the ARP request to the port that has the MAC address we are looking for. If the router is on the same ‘wire’ as the switch it will respond with ARP reply. The reply will be routed directly to the sender using the ARP reply.
Sender MAC: server:mac:address:here
Sender IP: server.ip.goes.here
Target MAC: client:mac:address:here
Target IP: client.ip.goes.here
The network library now has the IP address of the DNS server or the default gateway and it can send a UPP request to the DNS server for the IP address. If the local ISP/DNS does not have it, it starts a recursive search across the list of DNS servers until an answer is returned.
4 - IP address found, the browser initiates a TCP connection with the Server, likely using the default port 80 (HTTP) or port 443 (HTTPS).
The request from the browser is passed to the Transport layer (Layer 4) to create a TCP Segment. The Transport Layer adds (encapsulates) a TCP header, which includes the source port and destination port, and creates a Segment.
The Transport Segment is then sent to the Network layer (Layer 3), which wraps another IP header to create a packet. The IP header includes the IP address of the current machine and the IP address of the destination server (i.e. the IP address for cnn.com, in our example).
The Packet is sent to the Data Link layer (Layer 2), where the encapsulation adds the Ethernet header to create a Frame. The Ethernet header (or Frame header) includes the MAC address of my local machine and the MAC address of the local router.
At this stage the message/segment/packet/frame is ready to be transmitted. To summarize, it includes:
- Request
- TCP Segment (added in Transport layer), Destination Port and Source Port headers
- IP header (added in Network layer) which includes the IP address of the destination server AND the IP Address of the current machine
- Frame Header (added in Data Link layer) that includes the MAC address of the destination machine NIC, and the MAC address of the gateway (local router)
Packet will pass through the wire on some combination of Ethernet / WiFi / Cellular Data Network
Eventually the packet will reach the router managing the local subnet. From there it travels across the autonomous system’s border routers, other autonomous systems, and finally to the destination server. Each router along the way extracts the destination address from the IP header and routes it to the appropriate next hop. The time to live field (TTL) is decremented by one for each router that it passes. Packet will be dropped if the TTL field reaches zero or if the router has no space in its queue.
When the message reaches the server it is de-encapsulated: the Frame header is stripped by the Data Link layer, then the IP header is stripped by the Network layer, and then the TCP header is stripped and used to identify the destination port on the server. (Likely 443, if we connect to cnn via HTTPS.)
When the message is received we can establish a connection via a TCP/IP three way handshake, where the Client and Server exchange SYN (synchronize) and ACK (acknowledge) messages to establish a connection.
Step 1/3: Client sends a SYN packet to server asking if open for new connections
2/3: If the server has open ports that can accept and initiate new connections, it will respond with ACKnowledgement of the SYN packet with a SYN/ACK packet
3/3: Client receives SYN/ACK from server and acknowledges with ACK packet, and the connection is established.
Connection established, we can now execute the TLS handshake:
- Client sends ClientHello message to the server with its TLS version, list of cipher algorithms, and available compression methods.
- Server replies with ServerHello to Client with TLS version, selected cipher, selected compression methods, and server’s public cert signed by a Cert Authority.
- If using typical RSA (not PFS) encryption, then the Client uses the server’s public key to create a pre-master Secret, and sends that pre-master secret to the Server.
- Server decrypts the pre-master secret from the Client using its private key, and both the Server and Client can now generate a Master Secret, or Session Key, for bulk encryption. Usually this asymmetric encryption is used with the RSA encryption algorithm.
- If using Diffie-Hellman Ephemeral Encryption (enforces Perfect Forward Secrecy), the Server responds with a Diffie-Hellman key exchange as its preferred selected cipher. It uses two known, public values (prime number and a modulo number), along with a secret value, to send a Diffie-Hellman key value to the Client.
- Client uses this Server Diffie-Hellmen key value to calculate its own Diffie-Hellman Key value (the math is complex, but it is based on the fact that the Client knows the modulo and prime number used by the Server, and also on a unique number known only to the client), and sends that back to the server.
- Now both Client and Server know the calculated values for each other, and they can use these values to generate a pre-master secret. Both Client and Server arrive at a pre-master secret without ever having had to know the private key of the Server.
- Once a pre-master secret is generated, then a master secret on both Client and Server is generated (often using AES), and they can communicate.
- Note that if PFS is enabled then this flow is repeated, and a new key is generated for each session of the Client and Server. Using Elliptic Curve Diffie-Hellman Ephemeral encryption will improve performance, as ECDHE offers similar security to RSA at substantially lower bit sizes.
5 - Once the TLS handshake is complete my browser can send a HTTPS GET request to transfer data from cnn.com. The request contains additional information like browser identification (User-Agent header) and requests it will accept (Accept header), and connection headers to keep the TCP connection alive for future requests. It will also pass info from cookies that my browser has stored for this domain.
6 - Server receives the request and passes it to a handler to read and generate a response. The handler reads the request, the headers, the cookies, updates any information on the server as needed and assembles a response in the format specified by my request. The server sends an HTTP response with the form:
200 OK
Headers for:
Content-Encoding
Cache-Control
Cookies to set
Privacy information
(single empty line)
If the HTTP headers sent by the Client include enough information to determine that the version of the file is unchanged since the last visit then it sends a 304 Not Modified response and no payload, and the Client Web browser retrieves the HTML from its cache.
After parsing the HTML the Client and Server repeat this process for every resource (CSS, image, etc.) referenced by the HTML page.
7 - My browser displays the HTML content.
07 November 2019
06 November 2019
How the World Works: Flynn Andrizzi is a Piece of Shit
A friend of mine works at a major hospital in the area, on the foundation / donations side. The hospital is a nonprofit, but that doesn't mean they don't make money. Quite the opposite: they make mountains of money. Also they collect a lot in donations.
A few weeks ago my friend told her boss that she wanted to pursue an opportunity in another part of the hospital, on the corporate side. Her boss gave it his blessing. As part of the effort she also spoke to her skip level manager (her boss's boss), because she wanted to give him a heads up and get his feedback. This was a courtesy, because she wanted to be professional and transparent with her manager and team. Seems reasonable, since she has been a top performer in the time she has been there, is popular with her doctors and her donors. Also they just offered her a multi-year contract to stay in the foundation that included a 150% raise (not a typo), which she rejected, because she does not want to manage anyone, and also does not want to limit her options.
The meeting with the skip level manager, a white mormon man in his early 60's, did not go well. He took the fact that she rejected the contract offer personally, so he rejected her request to change departments, told her explicitly that she would never work anywhere but her current role in her current department, that he would not recommend her to the CEO, and said, "I am going to talk to you like I would talk to one of my kids...", and explained that she needed to 'wait her turn'. It was ageist, condescending, and mean. It's fine to disagree with someone in a professional context, but this was not that; this was personal.
My friend proceeded with her original plan: met with the CEO, got strong buyin from him, and got busy making a case for a role on the corporate side. She also told me she expected some type of hazing from her VP, but that hoped that her boss would insulate her from most of it.
So how did her boss insulate her from the hazing? By trying to get her fired for cause.
Fast forward to yesterday, when she was asked to attend a meeting with her manager. My friend arrived to find her manager flanked by an HR flack, and they interrogated her about some appointments in her calendar. Their main issue was that she had an appointment somewhere on a Friday afternoon and when it got canceled she worked from the site of the appointment (another Hoag location) instead of coming back to the office. There was another issue with 'calendar hygiene' as well, related to a contact from earlier in the year. She was accountable, honest, and got the work done as asked. So the issue is not the work, it's the appearance of the work. Seriously.
For these two 'offenses' she was given a three day suspension, effective immediately, and walked out of the building.
Why would they try to fire their top producer over the past two years for some trivial calendar discrepancies?
Are calendar discrepancies like this even grounds for termination? (No, not at any place I have worked, or heard of, especially for what is a senior outside sales role. You are supposed to be in front of customers / donors; not sitting at your desk.)
My friend quit before they fired her, and while she could sue it's too much hearsay and he-said/she-said for it to really go anywhere. Only the lawyers will get rich. So in two weeks she went from being a respected, much in-demand employee that they offered a years-long contract and asked to mentor other talent to being suspended for violations in her calendar and likely fired for cause.
How does that happen? What changed? Did she not show enough deference? Did she fail to recognize how petty and vindictive people can be?
My friend will be fine - she is smart and good at her job and well connected. As traumas go, this one is minor, and recoverable.
It's hard to appreciate how quickly an encounter with a powerful egomaniac can derail your career prospects at a company until you see it firsthand. This is definitely not the first time that Flynn Andrizzi, shitbag that he is, has acted maliciously. It's never the first time, and never the only time. Hoag Hospital Foundation will be stuck with low performers and a shitty team until he dies or rides off into the sunset. That day cannot come soon enough.
A few weeks ago my friend told her boss that she wanted to pursue an opportunity in another part of the hospital, on the corporate side. Her boss gave it his blessing. As part of the effort she also spoke to her skip level manager (her boss's boss), because she wanted to give him a heads up and get his feedback. This was a courtesy, because she wanted to be professional and transparent with her manager and team. Seems reasonable, since she has been a top performer in the time she has been there, is popular with her doctors and her donors. Also they just offered her a multi-year contract to stay in the foundation that included a 150% raise (not a typo), which she rejected, because she does not want to manage anyone, and also does not want to limit her options.
The meeting with the skip level manager, a white mormon man in his early 60's, did not go well. He took the fact that she rejected the contract offer personally, so he rejected her request to change departments, told her explicitly that she would never work anywhere but her current role in her current department, that he would not recommend her to the CEO, and said, "I am going to talk to you like I would talk to one of my kids...", and explained that she needed to 'wait her turn'. It was ageist, condescending, and mean. It's fine to disagree with someone in a professional context, but this was not that; this was personal.
My friend proceeded with her original plan: met with the CEO, got strong buyin from him, and got busy making a case for a role on the corporate side. She also told me she expected some type of hazing from her VP, but that hoped that her boss would insulate her from most of it.
So how did her boss insulate her from the hazing? By trying to get her fired for cause.
Fast forward to yesterday, when she was asked to attend a meeting with her manager. My friend arrived to find her manager flanked by an HR flack, and they interrogated her about some appointments in her calendar. Their main issue was that she had an appointment somewhere on a Friday afternoon and when it got canceled she worked from the site of the appointment (another Hoag location) instead of coming back to the office. There was another issue with 'calendar hygiene' as well, related to a contact from earlier in the year. She was accountable, honest, and got the work done as asked. So the issue is not the work, it's the appearance of the work. Seriously.
For these two 'offenses' she was given a three day suspension, effective immediately, and walked out of the building.
Why would they try to fire their top producer over the past two years for some trivial calendar discrepancies?
Are calendar discrepancies like this even grounds for termination? (No, not at any place I have worked, or heard of, especially for what is a senior outside sales role. You are supposed to be in front of customers / donors; not sitting at your desk.)
My friend quit before they fired her, and while she could sue it's too much hearsay and he-said/she-said for it to really go anywhere. Only the lawyers will get rich. So in two weeks she went from being a respected, much in-demand employee that they offered a years-long contract and asked to mentor other talent to being suspended for violations in her calendar and likely fired for cause.
How does that happen? What changed? Did she not show enough deference? Did she fail to recognize how petty and vindictive people can be?
My friend will be fine - she is smart and good at her job and well connected. As traumas go, this one is minor, and recoverable.
It's hard to appreciate how quickly an encounter with a powerful egomaniac can derail your career prospects at a company until you see it firsthand. This is definitely not the first time that Flynn Andrizzi, shitbag that he is, has acted maliciously. It's never the first time, and never the only time. Hoag Hospital Foundation will be stuck with low performers and a shitty team until he dies or rides off into the sunset. That day cannot come soon enough.
23 October 2019
Jordan Hoffart is Rad
Jordan Hoffart used to be very good at skateboarding. He is still pretty good, but he is a very funny and likeable interview. Enjoy.
19 October 2019
Mark Suciu Verso: (*&(^(&^)(*&@#$%^&*&^^% :: brain broken ::
I have said before that to be truly extraordinary you must not only be able to execute brilliantly, but you must first imagine something brilliant you can execute. That vision, that ability to create, is more rare than the ability to execute.
I was reminded of this fact again when I watched this new video from Mark Suciu. The first 3:30 alone would be the best video part this year, and the video as a whole is an instant classic, easily the best of the year, and one of the best ever. Go here for a good and entertaining reaction from a guy that talks about skateboarding for a living.
Enjoy.
16 October 2019
What is Perfect Forward Secrecy?
This is answered in many places on ye olde interwebbe, but a lot of them are rubbish, or are hiding behind some very terrible web design / advertisements, or both. I aggregated the information from a few different videos (shoutout Computerphile!) and some articles as part of a homework assignment, so I thought I would reproduce it here. Full list of resources is copied at the bottom of the post.
This writeup assumes you know what a client and server is, and care, but if you do not then you can think of the client as anything that sends a request, and a server as anything that sends a response (or 'serves' a response). The confusing thing about the terms is that the roles in a transaction can change: clients can become servers, and servers can become clients. Confused yet? Cool. All you need to know is that one thing is calling another thing, and you don't want anyone to be able to listen in on their chat. The thing that makes the initial call? That's the client. The thing that responds? Server.
Enjoy(?).
Summary
Perfect Forward Secrecy enables you to support secure, encrypted communication between clients and servers in your environment, and reduce your risk in the event that any of your servers is compromised. Unlike typical RSA public/private key encryption, cipher suites that use PFS protect you if your server(s) are hacked and the server encryption keys are exposed.
Consider an Electronic Medical Record system that uses typical (TLS 1.2) RSA key exchange now in wide adoption. The EMR system servers encrypt all message traffic using a public and private key pair; the private key is unique to each server. The message traffic in the EMR system includes records and patient data for tens of thousands of patients, across years of medical history. If the private key for any server is compromised then a hacker may be able to use it to gain access to all of the data on that server: medical data, patient data, and the entire message history.
Now consider an EMR system that incorporates Perfect Forward Secrecy. In PFS there is no link between a server’s private key and the session key, so in the event a private key is compromised then a hacker cannot uncover the session key and decrypt the conversation. Also, if attackers are somehow able to compromise the session key they are only able to decrypt the conversation for that particular session; your conversation history is protected, because perfect forward secrecy forces a new session for each message.
In this example the result of a breach caused by a decrypted session key in a system that integrates PFS is the exposure of a single message. The result of a breach caused by the loss of a private key in a system protected by RSA key exchange is the contents of an entire server.
Benefits
You can use PFS to dramatically reduce the amount of information that is vulnerable in the event of a successful hack, and to deter attacks because the rewards in the event of a breach are minimal. Adopting cipher suites that integrate PFS enables you to stay compliant with the latest and most up-to-date traffic security requirements (for example, Google has enforced PFS by default in Gmail since 2011, and Apple has required PFS support for all new apps in the app store since January 2017).
Drawbacks
Perfect Forward Secrecy forces end to end encryption. If your monitoring solution requires that your messages be inspected then you must incorporate a true inline SSL proxy in order to read them. Passive SSL inspection devices that rely on certificate information, subject alternative name (SAN), or common name/hostname (CN), will not be able to decrypt or inspect any traffic protected by PFS.
Supporting PFS requires more computing overhead, because every transaction requires a unique security key. Also, legacy systems may not support the cipher suite keys required for PFS.
Why Should I Care?
PFS can be implemented today if you use a cipher suite key exchange that supports it (i.e. Diffie-Hellman Ephemeral - DHE, or Elliptic Curve Diffie-Hellman Ephemeral - ECDHE). These cyphers have been available since SSLv3, but it is best to implement the latest and most secure protocol supported by your environment, and to evaluate your security posture if your legacy systems do not support PFS.
The latest Transport Layer Security standard (1.3) mandates PFS for all sessions. In other words, if you want to use the most up to date security protocols for your internet traffic, you must use perfect forward secrecy.
For example, Zscaler supports TLS 1.3 and PFS because it is a true inline proxy: it terminates the SSL connection established by the client and establishes a new SSL connection to the server. You can inspect your traffic and ensure that your network exploits the latest, most robust security standards available.
///
This writeup assumes you know what a client and server is, and care, but if you do not then you can think of the client as anything that sends a request, and a server as anything that sends a response (or 'serves' a response). The confusing thing about the terms is that the roles in a transaction can change: clients can become servers, and servers can become clients. Confused yet? Cool. All you need to know is that one thing is calling another thing, and you don't want anyone to be able to listen in on their chat. The thing that makes the initial call? That's the client. The thing that responds? Server.
Enjoy(?).
Summary
Perfect Forward Secrecy enables you to support secure, encrypted communication between clients and servers in your environment, and reduce your risk in the event that any of your servers is compromised. Unlike typical RSA public/private key encryption, cipher suites that use PFS protect you if your server(s) are hacked and the server encryption keys are exposed.
Consider an Electronic Medical Record system that uses typical (TLS 1.2) RSA key exchange now in wide adoption. The EMR system servers encrypt all message traffic using a public and private key pair; the private key is unique to each server. The message traffic in the EMR system includes records and patient data for tens of thousands of patients, across years of medical history. If the private key for any server is compromised then a hacker may be able to use it to gain access to all of the data on that server: medical data, patient data, and the entire message history.
Now consider an EMR system that incorporates Perfect Forward Secrecy. In PFS there is no link between a server’s private key and the session key, so in the event a private key is compromised then a hacker cannot uncover the session key and decrypt the conversation. Also, if attackers are somehow able to compromise the session key they are only able to decrypt the conversation for that particular session; your conversation history is protected, because perfect forward secrecy forces a new session for each message.
In this example the result of a breach caused by a decrypted session key in a system that integrates PFS is the exposure of a single message. The result of a breach caused by the loss of a private key in a system protected by RSA key exchange is the contents of an entire server.
Benefits
You can use PFS to dramatically reduce the amount of information that is vulnerable in the event of a successful hack, and to deter attacks because the rewards in the event of a breach are minimal. Adopting cipher suites that integrate PFS enables you to stay compliant with the latest and most up-to-date traffic security requirements (for example, Google has enforced PFS by default in Gmail since 2011, and Apple has required PFS support for all new apps in the app store since January 2017).
Drawbacks
Perfect Forward Secrecy forces end to end encryption. If your monitoring solution requires that your messages be inspected then you must incorporate a true inline SSL proxy in order to read them. Passive SSL inspection devices that rely on certificate information, subject alternative name (SAN), or common name/hostname (CN), will not be able to decrypt or inspect any traffic protected by PFS.
Supporting PFS requires more computing overhead, because every transaction requires a unique security key. Also, legacy systems may not support the cipher suite keys required for PFS.
Why Should I Care?
PFS can be implemented today if you use a cipher suite key exchange that supports it (i.e. Diffie-Hellman Ephemeral - DHE, or Elliptic Curve Diffie-Hellman Ephemeral - ECDHE). These cyphers have been available since SSLv3, but it is best to implement the latest and most secure protocol supported by your environment, and to evaluate your security posture if your legacy systems do not support PFS.
The latest Transport Layer Security standard (1.3) mandates PFS for all sessions. In other words, if you want to use the most up to date security protocols for your internet traffic, you must use perfect forward secrecy.
For example, Zscaler supports TLS 1.3 and PFS because it is a true inline proxy: it terminates the SSL connection established by the client and establishes a new SSL connection to the server. You can inspect your traffic and ensure that your network exploits the latest, most robust security standards available.
///
13 October 2019
Read This: Bad Blood by John Carreyou
This book is amazing. You should read it. How did these clowns get away with this scam? How did Holmes convince a board full of geriatric white guys to support her company? Why did someone not ask Holmes what the hell was wrong with her stupid voice? The book does a thoroughly researched job explaining what happened, but I will never understand how it happened. Silicon Valley is thirsty af.
Holmes and her cartoonishly villainous cohorts managed to con their way into NINE HUNDRED MILLION DOLLARS. That's a lot of money! Apparently more than half of it was spent on legal fees, which raises the question of how much the lawyers collecting those fees (and aggressively suing anyone that dared to speak the truth about this sham) knew about the con, and if the company was actually viable.
It would be great if the lawyers employed by Holmes would admit some culpability, or maybe suffered some consequences for their participation in this very long con, but that did not happen. Lawyers are very good at making sure that they get to bill hours, and everyone else gets fucked.
12 October 2019
Green for Me, Mostly
I tried one blue trail and it was a lot of jumps. I don't know how to do jumps! So I stuck to the swoopy downhill sections. Fun!
11 October 2019
I've Been Busy
Hi!
I've been busy, away, or busy and away at the same time. I was in Detroit, then in Tel Aviv for a week, and then Whistler, BC, then Seattle. On top of that I have been working on some projects for work. So a lot going on, and not super pumped to post any update. I think about doing it, and then I forget because I have some homework or I do not want to look at my computer.
Things have calmed down a little, even though I have more trips on the horizon (LA, Toronto, Seattle again). I will post more regular updates for the balance of the calendar year. Get excited. First things first, here is a photo from the last time I was in Israel. It's a photo of the Old City in Jerusalem. When I was there it rained, and also it was early, and there were no people. The Old City is a tourist trap, but if you can avoid that, and you can get to other parts of Jerusalem, it's great.
More later.
I've been busy, away, or busy and away at the same time. I was in Detroit, then in Tel Aviv for a week, and then Whistler, BC, then Seattle. On top of that I have been working on some projects for work. So a lot going on, and not super pumped to post any update. I think about doing it, and then I forget because I have some homework or I do not want to look at my computer.
Things have calmed down a little, even though I have more trips on the horizon (LA, Toronto, Seattle again). I will post more regular updates for the balance of the calendar year. Get excited. First things first, here is a photo from the last time I was in Israel. It's a photo of the Old City in Jerusalem. When I was there it rained, and also it was early, and there were no people. The Old City is a tourist trap, but if you can avoid that, and you can get to other parts of Jerusalem, it's great.
More later.
30 August 2019
Ride Bikes? Ride Bikes.
Over the years there's been a lot of hot air devoted to what cycling is 'about': It's a metaphor for what your life is about, or what your life isn't about, and it says something about you, or it doesn't, and your bike is wrong, or it's right, and there are rules, but also there are different rules, and on and on. I find all of it to be more than a little exhausting, because who gives a shit?
Just ride your goddamn bike.
Ride your mountain bike, your road bike, your gravel bike, your e-bike, your fat bike,* your push bike, your three wheeler, your whatever. Ride it up hills, down hills, over hills, around hills, on the flat, in the wind, out of the wind, in the rain, in the snow, in summer / winter / spring and fall, in a big circle, take the lift and coast downhill or pedal up, ride to your friends house, to work, to your loved one, to the pub, to run errands, for fun, for fitness, for community, for freedom, for escape, because you want to, because you have to. Just ride your fucking bike.
If you don't like riding bikes that's cool. Do something else, for whatever reason you want to do it. Don't let anyone gatekeep that thing. Gatekeeping is bullshit.
These videos from Rapha are slick and polished marketing but I think they tell a good story about how crazy people can be about riding bikes. It helps that Lachlan Morton is a low-key savage on two wheels. Maybe it speaks to you, maybe it doesn't. I got a kick out of it.
Enjoy your weekend.
* I struggled with this one. Fat Tire e-bikes are... not my favorite. But you do you.
22 August 2019
A Formidable Record: Rolling Stones Greatest Hits
A friend of mine went to the Rolling Stones concert tonight. I guess it seemed good on paper? I watched some grainy recorded video and Mick doesn't quite hit the notes like he used to. Go figure. You'd be better off queuing up the Greatest Hits record on your local HiFi and getting real baked at home. By yourself, or with friends. Either way you save a lot of money and have a way better time. And you beat the traffic.
Ruby Tuesday is my favorite Rolling Stones song. Brian Jones on recorder for this track, if you were wondering.
20 August 2019
Long Time No Talk - How Have You Been?
No, I didn't quit the blogspace. I actually think about it quite a lot, but then I don't get around to putting the time in to deliver on the mediocre thoughts. In the past month I have traveled a bit, and was able to see some friends in San Jose while on a work trip.
I went to Cabo San Lucas for a long weekend. Cabo is nominally in Mexico, but feels way too much like a lawless suburb of Newport Beach, right down to the people that go there. It's not that Cabo wasn't fun - I went with friends and had a good time, but it's not my kind of fun. There is nothing to do there but go to the bars and go to the beach, and the big advantage of Cabo over a place with bars and beaches that are a short drive from where I live is that it is cheaper, and the weather tends to be reliably warmer, and it is much easier to get all the cocaine you want. (Not even kidding about that last part - if the market is any indicator of demand then coke is it. I couldn't walk 20 feet without some street vendor trying to sell me blow. It was not what I expected at all, but for some people it is probably paradise.)
I have been riding my bikes as much as I can on the weekends. Very exciting.
While I was in Cabo there were not one but two more mass shootings in the United States, which was sad and terrible and caused some in-bad-faith calls for mental health awareness and also some type of Federal law that will allow people declared dangerous to have their guns taken away. Not sure how much experience you have with the judicial system, but anyone involved in it will tell you that it is a shitshow that is only occasionally functional, and then only slowly. There are already laws in place in some states (like California) that if you get a restraining order force you to get rid of all your guns. They don't work.
The best way to keep people from using guns to kill people is to keep them from getting guns in the first place. Guns of all kinds are far too easy to get. You can get a gun more easily than a drivers license. That is absurd. I am in favor of gun ownership if you can demonstrate competence: go through thorough interviews and background checks and show that you are capable of owning and operating one safely. I think a gun should be on par with getting your entry level pilot's license, with a strict supervised test and regular checkups on your competence. (Maybe force all shooters to qualify at the same standard as your local police officers.) This would prevent many people from owning guns, but if you are not qualified to operate it then you are not qualified to own it. Tough luck for you, but better for everyone, including you, since you are a danger to yourself and others if you own a gun and do not know how to use it.
It's a shame that this kind of approach gets no traction, and instead we get stupid blanket bans on certain types of weapons and similar bullshit. That does not solve the problem! You can ban magazines, and black rifles, and 'assault weapons', and on and on, but it's not going to do a damn thing. Make gun ownership as a whole more difficult, and force gun owners to prove their mental and physical competence, and you will see a sharp decline in mass shootings.
You will never ban guns completely, because the constitution is broken, and the Senate is also broken. Banning 'assault rifles' does absolutely nothing for the many, many millions of rifles already in circulation. You think people like me are going to turn them in? Fuck you very much, and I am a downright moderate when it comes to this kind of thing. Make guns harder to get, and you will meet the needs of people that want to work for gun ownership, and all the lazy half-wits and gun-humpers can go find a new hobby.
I went to Cabo San Lucas for a long weekend. Cabo is nominally in Mexico, but feels way too much like a lawless suburb of Newport Beach, right down to the people that go there. It's not that Cabo wasn't fun - I went with friends and had a good time, but it's not my kind of fun. There is nothing to do there but go to the bars and go to the beach, and the big advantage of Cabo over a place with bars and beaches that are a short drive from where I live is that it is cheaper, and the weather tends to be reliably warmer, and it is much easier to get all the cocaine you want. (Not even kidding about that last part - if the market is any indicator of demand then coke is it. I couldn't walk 20 feet without some street vendor trying to sell me blow. It was not what I expected at all, but for some people it is probably paradise.)
I have been riding my bikes as much as I can on the weekends. Very exciting.
While I was in Cabo there were not one but two more mass shootings in the United States, which was sad and terrible and caused some in-bad-faith calls for mental health awareness and also some type of Federal law that will allow people declared dangerous to have their guns taken away. Not sure how much experience you have with the judicial system, but anyone involved in it will tell you that it is a shitshow that is only occasionally functional, and then only slowly. There are already laws in place in some states (like California) that if you get a restraining order force you to get rid of all your guns. They don't work.
The best way to keep people from using guns to kill people is to keep them from getting guns in the first place. Guns of all kinds are far too easy to get. You can get a gun more easily than a drivers license. That is absurd. I am in favor of gun ownership if you can demonstrate competence: go through thorough interviews and background checks and show that you are capable of owning and operating one safely. I think a gun should be on par with getting your entry level pilot's license, with a strict supervised test and regular checkups on your competence. (Maybe force all shooters to qualify at the same standard as your local police officers.) This would prevent many people from owning guns, but if you are not qualified to operate it then you are not qualified to own it. Tough luck for you, but better for everyone, including you, since you are a danger to yourself and others if you own a gun and do not know how to use it.
It's a shame that this kind of approach gets no traction, and instead we get stupid blanket bans on certain types of weapons and similar bullshit. That does not solve the problem! You can ban magazines, and black rifles, and 'assault weapons', and on and on, but it's not going to do a damn thing. Make gun ownership as a whole more difficult, and force gun owners to prove their mental and physical competence, and you will see a sharp decline in mass shootings.
You will never ban guns completely, because the constitution is broken, and the Senate is also broken. Banning 'assault rifles' does absolutely nothing for the many, many millions of rifles already in circulation. You think people like me are going to turn them in? Fuck you very much, and I am a downright moderate when it comes to this kind of thing. Make guns harder to get, and you will meet the needs of people that want to work for gun ownership, and all the lazy half-wits and gun-humpers can go find a new hobby.
12 July 2019
It Was Good In Parts, Less Good in Others: A Brief History of Seven Killings by Marlon James
This book, enh, it was alright?
I didn't love it. It was really good in some spots, but it felt like there were many sections where James was just flexing his writing muscle and it did not advance the story at all. If you're into it then maybe you would be less bored with it than I was. There were some chapters that I felt could have been omitted, and many others that could have just been cut in half, or more.
The characters that James creates are great, and it is a long and involved story. "Sprawling" seems to be a popular way to describe it, but here's the thing: sprawl can have a negative connotation (e.g. urban sprawl), and I think that connotation applies here. This novel had all the elements to be a true classic, but it needs to be tightened up.
One other thing that got really, really old was the fact that the entire novel was written in the first person viewpoint. Everything that happens is happening through one person's eyes, and that just gets tiresome after a while. Also it starts to feel gimmicky and contrived when you introduce minor character number 28, who won't play any kind of role beyond maybe killing somebody. So it all got a bit tiresome after a while.
That said, the parts that were good were excellent, so you can see why some people like the book. But any honest reviewer can see that while it is a strong work of fiction, it isn't as good as it could be.
I don't know that I would recommend it, unless you want to know more about Jamaica gang violence in the 70s and 80s. That part was kind of interesting.
I didn't love it. It was really good in some spots, but it felt like there were many sections where James was just flexing his writing muscle and it did not advance the story at all. If you're into it then maybe you would be less bored with it than I was. There were some chapters that I felt could have been omitted, and many others that could have just been cut in half, or more.
The characters that James creates are great, and it is a long and involved story. "Sprawling" seems to be a popular way to describe it, but here's the thing: sprawl can have a negative connotation (e.g. urban sprawl), and I think that connotation applies here. This novel had all the elements to be a true classic, but it needs to be tightened up.
One other thing that got really, really old was the fact that the entire novel was written in the first person viewpoint. Everything that happens is happening through one person's eyes, and that just gets tiresome after a while. Also it starts to feel gimmicky and contrived when you introduce minor character number 28, who won't play any kind of role beyond maybe killing somebody. So it all got a bit tiresome after a while.
That said, the parts that were good were excellent, so you can see why some people like the book. But any honest reviewer can see that while it is a strong work of fiction, it isn't as good as it could be.
I don't know that I would recommend it, unless you want to know more about Jamaica gang violence in the 70s and 80s. That part was kind of interesting.
11 July 2019
Chris Cole is a God on Earth
Do you like skate videos? Me too! Here is Chris Cole doing fun things on a skateboard. 11 minutes! That's a lot of footage. Enjoy.
01 July 2019
Congratulations Alex Howes - 2019 US Men's Elite Road Race Champion
One of the unique and fun things about pro cycling is that if you win your national championship in a specific discipline you get to wear the national jersey for the entire next year whenever you ride that discipline. (After your year is up you get to wear stripes on your sleeve, which is good and cool but very confusing if you are trying to determine if a rider is Belgian or German, never mind all the countries with red/white/blue as their flag colors). Wearing the jersey is a big honor, and at the beginning of all the races you start at the front to show off the colors, and you ride alongside the other jersey-wearers. And the stripes are forever, which is legit.
This year the US National Champion is Alex Howes, who won a very exciting race on a circuit course in Knoxville. Howes is a beast of a rider, and he deserved the win after riding in a breakaway, getting caught by the peloton, and then riding in another breakaway before getting separation at the end to clinch the victory. A worthy champion, and a nice story after several years of near misses for him in the race.
Howes also rode in the Dirty Kanza last month, a race which is weird and popular with a subset of people that like the feel of dirt in their mouth and sand in their shoes. To each their own, I guess. His team made a very good video about it, which you can enjoy above. Howes' team sent three pros to Kanza, and I don't think it is a coincidence that they sent three likable, telegenic riders. That's just good marketing, but it helps that they are phenomenal on the bike.
10 June 2019
The Long Nightmare is Over: I Have a Car Again
Five Door Hatchback in Black |
It was a slog. Partly because my plans didn't unfold as planned: no work travel for May, when I was originally supposed to be gone for some significant part of two work weeks. Also it turns out that my favorite part of most days is driving to the gym and listening to pump-up jams. I am dumb so I did not think of doing this in an uber. My friend pointed out that the youths wear earphones all the time, so it may have been an age thing. It would have improved my experience immeasurably.
On top of that the uber costs themselves started piling up. $20 minimum every time you want to get somewhere and back does not give you a lot of options. Yeah you can ride your bike, but that started to wear me out too, because I am old and busted. You can take the bus, but the bus service in my area is next to useless, with a long walk followed by a long wait followed by a long walk. And you must hope you don't have any connecting buses. A bike is your best option if you can swing it. And you can take a route that will not kill you, which is only possible in certain circumstances. The area in which I live is not bike commute friendly, and the public transportation is rubbish. I learned a lot about what was important to me, and also how much harder it is for people that don't have any access to a car at all. I did not like what I learned, but it was a necessary lesson.
Some stuff was easy, like getting groceries. If you live in a densely populated urban area you can have your groceries delivered, either from Vons or instacart or Amazon. If you live in California and in a city you can also get your produce (and a lot of other grocery items) from Farm Fresh to You. I am a big fan of the delivery, and I am going to keep doing it. Works out well.
So that's the latest news. I like the car, but mostly I like being able to drive and listen to music in a car with a good stereo and tinted windows. Which is more or less exactly what my old car was doing, but much more slowly. Borrrrrrring.
26 May 2019
Martyn Ashton and Rob Warner on a Bike
Got through it though, and then some.
24 May 2019
Six Weeks and No Car: Update
I still do not have a car. Reports from the car getting place suggest that the car I ordered will be here pretty soon. Here is my short summary of what it is like not to have a car for six weeks:
It sucks.
This concludes our brief update on what it is like not to have a car. Watch this space for a more detailed report, maybe after I get a car.
It sucks.
This concludes our brief update on what it is like not to have a car. Watch this space for a more detailed report, maybe after I get a car.
05 May 2019
23 April 2019
To the Bikes! (S-Works Venge with Enve Wheels)
After you get done reading the previous post about desperately lonely girls and their hobbyhorses in Finland (or not), you can cleanse your palate with a photo of this glorious bicycle, which has found a loving home with me.
Adoption can be expensive, so I will maybe miss the kidney I had to sell to pay for it, but it rides like a dream. I am very slightly less slow now. And I look good.
If you are curious, this is a custom-built S-Works Venge frame / Aerofly cockpit / Power saddle / Ultegra di2 groupset / Enve SES AR4.5 Disc wheels laced to Chris King hubs.
Tubeless Hutchinson Sector 28 tires, which I will likely use again, as they have performed well for me. Geared 52/36 in the front, and 11-28 in the rear. The bike is very fast. Not with me on it, but in general, it is fast. And it is a lot of fun to ride.
Adoption can be expensive, so I will maybe miss the kidney I had to sell to pay for it, but it rides like a dream. I am very slightly less slow now. And I look good.
If you are curious, this is a custom-built S-Works Venge frame / Aerofly cockpit / Power saddle / Ultegra di2 groupset / Enve SES AR4.5 Disc wheels laced to Chris King hubs.
Tubeless Hutchinson Sector 28 tires, which I will likely use again, as they have performed well for me. Geared 52/36 in the front, and 11-28 in the rear. The bike is very fast. Not with me on it, but in general, it is fast. And it is a lot of fun to ride.
21 April 2019
What the fuck is this?
I couldn't get much past the headline, but if you can, and it makes any kind of sense, then please let me know.
19 April 2019
I Do Not Have a Car Right Now
For the first time in many years I do not have a car. I returned the car that I had leased, and the car that I wanted was not available with an automatic transmission in a color that I liked. So I had to order it, and that takes a long time (ETA is the first week of June, and I put the order in six weeks ago). So here we are.
I did the math and the best financial option was to return the lease and to rent / rideshare / bike / walk until the new car is available. There are a few things about this that make it easier for me than for most people:
- I do not have a commute to work. The only place I commute every day is to the gym, and it is about 4 miles away. Not the easiest bike ride because of city streets and rush hour, but it is workable.
- You can get almost anything delivered to your house these days, including groceries.
- I live a 5 minute bike ride from a grocery store.
- The weather this time of year tends to be bike friendly, although I could do with less wind. A LOT less wind.
- I have a nice bike, and I can afford all the tools, and can do most of my own maintenance. (Adjusted the real derailleur this week, thank you very much.) So I am not grinding it out on a beach cruiser.
- It is very easy to get an uber or to rent a car if I need a ride or to drive somewhere.
You will notice that I did not mention anything about public transportation. That is because the public transportation system where I live is trash, because Orange County wants to do as little as possible for people that do not or cannot drive. This is why south Orange County in particular sucks: it's not bike or pedestrian friendly, there is no public transport, and everything is strip malls.
That's my big update for the week. My friend asked me how it was going and so far it's fine. I will revisit this in a few weeks after the overall inconvenience has had a chance to sink in. We will see. I will probably rent a car for a few days at a time to do stuff like big shopping at the grocery or if I have a meeting that requires I drive. Now excuse me while I get ready for my gym bike ride.
I did the math and the best financial option was to return the lease and to rent / rideshare / bike / walk until the new car is available. There are a few things about this that make it easier for me than for most people:
- I do not have a commute to work. The only place I commute every day is to the gym, and it is about 4 miles away. Not the easiest bike ride because of city streets and rush hour, but it is workable.
- You can get almost anything delivered to your house these days, including groceries.
- I live a 5 minute bike ride from a grocery store.
- The weather this time of year tends to be bike friendly, although I could do with less wind. A LOT less wind.
- I have a nice bike, and I can afford all the tools, and can do most of my own maintenance. (Adjusted the real derailleur this week, thank you very much.) So I am not grinding it out on a beach cruiser.
- It is very easy to get an uber or to rent a car if I need a ride or to drive somewhere.
You will notice that I did not mention anything about public transportation. That is because the public transportation system where I live is trash, because Orange County wants to do as little as possible for people that do not or cannot drive. This is why south Orange County in particular sucks: it's not bike or pedestrian friendly, there is no public transport, and everything is strip malls.
That's my big update for the week. My friend asked me how it was going and so far it's fine. I will revisit this in a few weeks after the overall inconvenience has had a chance to sink in. We will see. I will probably rent a car for a few days at a time to do stuff like big shopping at the grocery or if I have a meeting that requires I drive. Now excuse me while I get ready for my gym bike ride.
18 April 2019
Work Travel Sucks the Life Out of You
Hi! In the past three weeks I have been to Las Vegas, San Francisco, and Salt Lake City (one trip per week). It was exhausting. I will say more about all that when I have something interesting to say about it.
In the meantime here is a video about an octopus that is funny. The narration is kind of lame, and the music is dumb, so maybe just watch this baby genius with the sound off and have a nice chuckle while it 'walks' across the sea floor.
08 April 2019
Yikes - a month?
I have been very busy the past couple weeks, and also not done anything worth posting about.
People remain dumb, but here is some online dating video goodness from the 80s. I'm sorry.
More later.
04 March 2019
I Went There: Israel
A couple weeks ago my boss asked me if I could visit the mothership in Tel Aviv. I said yes (in my experience best practice is to say yes when your boss asks you to do something, because can-do attitude and all that), and so I went.
I was gone for a total of 8 days, with two travel days on the bookend, 5 days of work, and one day of sightseeing at the end. It was an interesting visit, although the work was grueling. They didn’t fly me all the way out there to take it easy, and I work at a startup so there is a lot of urgency. That meant that the days were pretty long. On top of that the jet lag was brutal, and my typical pattern for the week was to wake up between 3 and 4 in the morning, read or zone out on the internet until the gym opened at 6, hit the crummy hotel workout space to move around a little, get cleaned up and have breakfast, and then head into the office. At the end of the day I would just come back to the hotel and fall asleep without dinner. just collapse, exhausted.
So it was not a great ‘visit’ to Tel Aviv, but it was a productive work week. I was able to do some sightseeing and visit Jerusalem on the last day I was there. That was cool to see and do. I got there early, and it was cold as hell and raining, so not many people were in the streets of either Jerusalem proper or the old city. Walking empty streets that are two thousand years old is a rare experience, and I enjoyed it. The old city is both a holy site and a constant hustle, and I got the hard sell at both the Jaffa Gate on my way into the old city, and again from a booze-smelling semi-ordhodox guy while I was standing in front of the Western Wall. It’s a living I guess.
Sightseeing in Jerusalem was a highlight. The actual city is beautiful, with lovely architecture and a very cool market that is apparently packed most days. It was beyond crowded on the day I was there, so that was fun. Very middle eastern bazaar type feel in that place. I think it was Mehane Yehuda (sp?). Highly recommended.
Other highlights included walking home from dinner (one of only two times I ate dinner in the week I was there) on Rothschild Street in Tel Aviv and seeing enormous bats flying around the trees and near the lamps. Didn’t expect that, but it was great. It was downtown, right in the middle of a busy area. No one paid any attention, but I was pumped.
Overall the food was great. I think as far as cuisines go the Israeli mediterranean style is probably my favorite overall. Lots of fresh food, not much beef. They do eat a lot of bread. Like, so much bread. But if you skip that you’re in pretty good shape with your everyday diet. The breakfast buffet at my hotel was next level. They had three or four kinds of cured fish every morning, which I loved. And they had 10 kinds of cheese, which I did not. But still: 10 kinds of cheese! For breakfast! Mainly they had a nice assortment of salads and some eggs, plus some pastries. It was my biggest meal of the day, and very tasty.
Jaffa, an old section of south Tel Aviv, was nice, I guess? I wasn’t impressed, but it’s a thing people visit. Other stuff I missed was the thriving nightlife and bar scene. Experienced none of that, as I was either tired or not much interested in being the solo guy at a bar. I hear it’s great, but a work trip is work, so that was the priority.
The bus drivers on my ride to and from Jerusalem were super nice. So were all the people that I met individually for work. I mention this because the people in Tel Aviv were generally rude as hell. It’s a culture thing, but by Western standards they are discourteous assholes. Be prepared for that going in and you kind of get used to it. Kind of.
Getting around was easy enough - much of it is walkable. There is a lot of construction and weak public transport so everyone takes their electric bikes everywhere. No uber, so you just have to order a taxi or pound the pavement. Some Taxi drivers will give you static about paying with a credit card, which is funny because that’s the reason I stopped taking taxis years ago. This is one of the things that a taxi driver of mine was rude about, and while I don’t know how to tell someone to go F yourself in Hebrew, I think he got the message. (For the record, I would like to pay in cash, but I am not going to eat the exchange rate on a company expense. Also if I do that I have to front the money, instead of putting it on my cc and getting reimbursed and paying my bill. So: no.)
Getting there and back is a punishment. My flights home are 12 hours from Tel Aviv to Newark, and then almost six hours from Newark to Santa Ana. Ouch. As I type this I have four hours to go on the first leg of my return flight, and I have already been on the plane for 8 hours. Fuuuuuuck me. And no, I did not get to fly business class.
That’s that for now. I hope you had a good week.
18 February 2019
10 Years Ago (this April) Danny MacAskill Broke the Internet
This is pre-Red Bull sponsorship, and it announced MacAskill to the world outside of street trials. It remains one of the best trick videos ever, exceeded only by Road Bike Party 1 and 2*, and by the big budget video he did the year after this came out, Way Back Home.
Enjoy again if you have already seen it once. His style has changed since then - he rides mountain bikes now, and does not do as many spin tricks, nor does he jump as high or as far. This is vintage Danny, a bit more raw than in later years, but every bit as good.
* Danny's part in Road Bike Party 2 is absurd.
08 February 2019
The Definition of Insanity
The ignorant cliche that 'Doing the same thing over and over again and expecting a different result is the definition of insanity' has become very common. It is also wrong.
There is a very long and detailed reference manual with a great many definitions of insanity. The manual is so comprehensive that it aims to list them all. The above is not one of them.
Doing the same thing over and over again and expecting a different result is the definition of STUPIDITY.
Another example of stupidity: Repeating tired and inaccurate cliches that you saw on Facetagram and Twit. Please stop. Do it for the children.
05 February 2019
More Books! The Emperor of All Miseries
I read the Emperor of All Maladies over the course of a few weeks. It is excellent, and I think that it is one of those books that everyone should read. Over the course of your life you and/or someone you know will get cancer, and this is a good primer on what that means. It may be that you have already had that experience, and in that case you can probably give it a hard pass, because you don't want to live it again. If not, then consider it a primer on a future problem. You can learn it now, at your leisure, or later, under duress.
My issue with the book is that it does not do enough to describe the miseries of the people afflicted. It would be impossible to read if it did, but the consequences of a cancer diagnosis, and the subsequent treatments, and the relapse, are profound.
This is a book where everyone dies. Sometimes that gets lost in the clinical language and the 'successes' offered by the treatments. Mukherjee does good work to address the challenges of the treatments, and they toll they take on the body, but I think a more critical assessment is necessary.
If you suffer terribly to extend your life another six, twelve, or 18 months and then your cancer returns (as it often does), then was that really a 'success'? I do not think so. The brutal truth is that at some point most people in the United States will have to make a decision, either for themselves or for someone they love. That was the hardest fact about the book, and that is why you should read it.
04 February 2019
Commercial Success: We'll Keep This Brief
03 February 2019
To the Books! Metro 2033
tl;dr review for Metro 2033: Don't bother.
I heard that Metro 2033 was hugely popular in Russia and elsewhere, and decided to give it a read. It is not a good book. My translation was shockingly bad, which didn't help, but even allowing for a very clumsy and budget printing and translation it still was not good. Too long, too many dream sequences that do nothing to advance the plot, too many improbable rescues and too many endings. Also my book did not have a printed map in it, which is kind of bizarre for a book that is set in a real place, describes that place in great detail, and for which DETAILED MAPS ALREADY EXIST.
An aside on the subject of improbable rescues: The original Pixar team that worked on Toy Story had a rule that you could use a coincidence to get you into trouble, but you could not use a coincidence to get you out of trouble. It's lazy writing and lazy storytelling. Guess how many coincidences get the main character of Metro 2033 out of trouble? A lot! I counted three pivotal plot points that were 'solved' by coincidence. That is lame and bad. Every time the guy was about to die I knew some bullshit would happen to get him out of it. Borrrrriiinnnnng. The main character didn't solve anything. He just got lucky and failed forward. Great job, loser.
The only interesting part about the story was the fully realized world in which it occurs. The monsters are terrifying, the environment is terrifying, and the whole world is dark and brutal and miserable. That part is great. The characters? Flat and one dimensional. The dialog? A bad english translation of what was probably crap to begin with. The story? Weak.
Hopefully they will make a movie and tighten it up. I heard the video game is also good, and after seeing how well the world is described I can imagine the game being a lot of fun.
I heard that Metro 2033 was hugely popular in Russia and elsewhere, and decided to give it a read. It is not a good book. My translation was shockingly bad, which didn't help, but even allowing for a very clumsy and budget printing and translation it still was not good. Too long, too many dream sequences that do nothing to advance the plot, too many improbable rescues and too many endings. Also my book did not have a printed map in it, which is kind of bizarre for a book that is set in a real place, describes that place in great detail, and for which DETAILED MAPS ALREADY EXIST.
An aside on the subject of improbable rescues: The original Pixar team that worked on Toy Story had a rule that you could use a coincidence to get you into trouble, but you could not use a coincidence to get you out of trouble. It's lazy writing and lazy storytelling. Guess how many coincidences get the main character of Metro 2033 out of trouble? A lot! I counted three pivotal plot points that were 'solved' by coincidence. That is lame and bad. Every time the guy was about to die I knew some bullshit would happen to get him out of it. Borrrrriiinnnnng. The main character didn't solve anything. He just got lucky and failed forward. Great job, loser.
The only interesting part about the story was the fully realized world in which it occurs. The monsters are terrifying, the environment is terrifying, and the whole world is dark and brutal and miserable. That part is great. The characters? Flat and one dimensional. The dialog? A bad english translation of what was probably crap to begin with. The story? Weak.
Hopefully they will make a movie and tighten it up. I heard the video game is also good, and after seeing how well the world is described I can imagine the game being a lot of fun.
16 January 2019
Nature is the Best: Birds of Paradise (the birds not the plants)
It's important to get the crib looking good if you're going to have company. And to put your best foot forward. If you're not sure what to wear then trust that black looks good on almost everything.
10 January 2019
Trump's Wall is Bad and Dumb
There is no 'crisis' at the southern border. Trump's wall the worst kind of government spending: a solution that does not work for a problem that does not exist.
Beefing up the department that handles asylum seekers on Southern points of entry would solve the caravan problem. He could do that relatively easily, as outlined here in the Atlantic.
Income inequality is the biggest threat to America right now, right up there with global warming and worldwide pollution. Immigration is an issue, and it can be easily resolved using existing mechanisms or new policy. Building a wall won't do a damn thing.
That's all you need to know about it. If you want bullshit from bad politicians then review comments from Nancy Pelosi and Chuck Shumer. If you want facts, read a decent newspaper. Subscriptions to the New York Times start at $1 a week.
Beefing up the department that handles asylum seekers on Southern points of entry would solve the caravan problem. He could do that relatively easily, as outlined here in the Atlantic.
Income inequality is the biggest threat to America right now, right up there with global warming and worldwide pollution. Immigration is an issue, and it can be easily resolved using existing mechanisms or new policy. Building a wall won't do a damn thing.
That's all you need to know about it. If you want bullshit from bad politicians then review comments from Nancy Pelosi and Chuck Shumer. If you want facts, read a decent newspaper. Subscriptions to the New York Times start at $1 a week.
06 January 2019
Welcome to 2019: Make Some Connections
Hello friends! I hope that you had a good Winter Holiday (winter holiday?) and New Year. If you didn't get a holiday or do anything for New Years Day then, umm, that sucks. Hopefully it was not something that will carry through the rest of the year.
I read the book Lost Connections and liked it. I recommend that you read it too if you wonder why depression is so common in societies that, for all intents and purposes, seem to have everything they could want. If you prefer to listen then get the audio version, or listen to the podcast with Sam Harris.
2018 ended on some welcome news for me: I got a job. I had been unemployed for a short while and it sucked. Partly because worrying about health insurance was a stress, and partly because I am much better when I am busy. The long unproductive time before I got laid off sort of but not really prepared me, so I was looking for work very aggressively before I got let go. It feels good to be back working again, and being able to work with smart people on fun opportunities is an exciting prospect. I will not post too much here as I prefer to keep this space separate from my business life (I have a customer-facing technical sales job and the views expressed here are not always popular).
Did some traveling at the end of the year. More on that later.
I read the book Lost Connections and liked it. I recommend that you read it too if you wonder why depression is so common in societies that, for all intents and purposes, seem to have everything they could want. If you prefer to listen then get the audio version, or listen to the podcast with Sam Harris.
2018 ended on some welcome news for me: I got a job. I had been unemployed for a short while and it sucked. Partly because worrying about health insurance was a stress, and partly because I am much better when I am busy. The long unproductive time before I got laid off sort of but not really prepared me, so I was looking for work very aggressively before I got let go. It feels good to be back working again, and being able to work with smart people on fun opportunities is an exciting prospect. I will not post too much here as I prefer to keep this space separate from my business life (I have a customer-facing technical sales job and the views expressed here are not always popular).
Did some traveling at the end of the year. More on that later.
Subscribe to:
Posts (Atom)