Conclusion of a series of feature requests for Akai MPC Live II

Thought I’d throw out some feature requests so that people can jump in and tell me that this isn’t the place for them, Akai doesn’t read this forum anyway, and that half of what I want is stupid. Oh, the things I have to look forward to.

Seventh, WHY is there no save button in the Sample Edit screens? WHY do I have to go through a dozen steps to save a sample? Why not just provide a button, pop up a screen, allow me to select the location and name and save the sample? How has this been overlooked for this long?

Okay, that would be a good start. I expect none of it but would be very happy to find these things in the next update.

Free Chiptunes MPC Expansion:

CHIckenliP TUNESv1 lofi SID sample pack nobodyimportant

Series of feature requests for Akai MPC Live II

Thought I’d throw out some feature requests so that people can jump in and tell me that this isn’t the place for them, Akai doesn’t read this forum anyway, and that half of what I want is stupid. Oh, the things I have to look forward to.

Sixth, since the core of the MPC is Linux, please allow remote access to video. I’d like to be able to open a screen on my PC that shows what is on the 7” screen on my MPC Live II. This would allow me to make better quality instructional videos. The USB 3.0 connection to a PC would have plenty of bandwidth considering resolution and required FPS.

Free Chiptunes MPC Expansion:

CHIckenliP TUNESv1 lofi SID sample pack nobodyimportant

Series of feature requests for Akai MPC Live II

Thought I’d throw out some feature requests so that people can jump in and tell me that this isn’t the place for them, Akai doesn’t read this forum anyway, and that half of what I want is stupid. Oh, the things I have to look forward to.

Fifth, you’ve started down the road of adding plugins for the MPC to use (Hype, Mellotron, Solina, etc) in standalone. Please add the 809, the Bank, the Noise, and the Wub to the plugins that work for the MPC in standalone.

Free Chiptunes MPC Expansion:

CHIckenliP TUNESv1 lofi SID sample pack nobodyimportant

Series of feature requests for Akai MPC Live II

Thought I’d throw out some feature requests so that people can jump in and tell me that this isn’t the place for them, Akai doesn’t read this forum anyway, and that half of what I want is stupid. Oh, the things I have to look forward to.

Fourth, I hope you are already working on this, USB audio standard at the OS level, not something sitting on top of the Linux kernel. That 8 ms is tolerable, but the only way you can get to 48kHz is by creating native support.

Free Chiptunes MPC Expansion:

CHIckenliP TUNESv1 lofi SID sample pack nobodyimportant

Series of feature requests for Akai MPC Live II

Thought I’d throw out some feature requests so that people can jump in and tell me that this isn’t the place for them, Akai doesn’t read this forum anyway, and that half of what I want is stupid. Oh, the things I have to look forward to.

Second, you have Splice on the MPC. Include Melodics. Why? Because then I could practice and improve my finger drumming without having to be connected to a computer.

Third, the MPC has a controller mode for USB, what about Bluetooth?

Free Chiptunes MPC Expansion:

CHIckenliP TUNESv1 lofi SID sample pack nobodyimportant

Series of feature requests for Akai MPC Live II

Thought I’d throw out some feature requests so that people can jump in and tell me that this isn’t the place for them, Akai doesn’t read this forum anyway, and that half of what I want is stupid. Oh, the things I have to look forward to.

First, when I’m on the piano roll using the pencil, when I hold the shift button and tap something, it should select it. And if I continue to hold the button and tap things, it should select them. Imagine how easy it would be to edit a chord if you could select the pencil, hold shift, select the 3, 4, or even 12 notes and then immediately be editing them.

Free Chiptunes MPC Expansion:

CHIckenliP TUNESv1 lofi SID sample pack nobodyimportant

How bad is iOS15?

scheduleOctober 5, 2021

I am using an iPad Pro with an Apple Keyboard/Trackpad. When I run the Discord client and try to enter text in the text entry field at the bottom of screen…

HOW AM I SUPPOSED TO SEE WHAT I AM TYPING?!?!? GET YOUR TEXT PREDICTION RIBBON OUT OF THE WAY!!!

What the hell? I AM USING A KEYBOARD DUMMIES!

How does something this simple get past Quality Control?

Abortion, Covid-19, and why you’re wrong.

A simplification of a foundational concept of psychology is,

People change when it hurts bad enough

I also want to remind people of Hanlon’s razor

never attribute to malice that which is adequately explained by stupidity

With those two things in mind, let’s talk about freedom and responsibility. First we will separate freedom from license. Consider James Bond (007). He has a “license to kill.” So what is it that he has that is different from anyone else? He has the ability to terminate someone at his own discretion with no repercussion. Consider your license to drive. It gives you the ability to travel on motorways to the destination of your choice with no repercussion.

Obviously license is given to you by a licensing authority to have the ability to act without facing repercussion for the action for which you are licensed. There MAY be limiting factors AROUND the use of license (speed limit when using a motorway), but the fact you were using an automobile on a motorway is not a violation. WITHOUT license you are prohibited.

Freedom on the other hand is considered innate. It comes from “all persons being created equal…” (regardless of your position of a supernatural creation or a natural one). There is no licensing authority on a freedom. A freedom exists because you do.

So what about limitation? Are there limitations on freedoms? What happens when you walk into a movie theater and yell, “Fire!” And there isn’t one? You are exercising freedom of speech. People panic, run out out of the theater, some are trampled to death… but you have no responsibility right? That’s not your fault, right?

You take a loved one to the firing range. Both of you are there voluntarily shooting at targets, you turn and accidentally shoot them. There is no responsibility here for the injury or death because you were just exercising your freedom of, “keeping and bearing arms,” right?

My point is freedom is inseparable from responsibility. In some freedoms there is a responsibility to act (like voting). In some freedoms there is a responsibility to not act. In the separation of church and state clause you have a responsibility to not impede someone’s beliefs. However, is there a limitation to this?

Let’s look at the fourth amendment. This protects citizens against search and seizure? Is this protection against ALL search and seizure? No, it’s against unreasonable search and seizure.

Let’s go back to the first amendment. Are there limits to the freedoms there? Obviously yes. Defamation and slander to name two. What about the second amendment? Yes, there are limitations. You can not own a firearm if you are a felon or have a dishonorable discharge.

Two things are true. We accept limitations to freedoms and we accept that freedom comes with responsibility (freedom is not license). Why? Why do we accept this limitation? Because we understand the truism, “your freedoms end where mine begin,” AND the converse, “my freedoms end where yours begin.”

Where does this put vaccination? TLDR; get your shot, and STFU you coward. Expanded version? Regardless of your beliefs you do NOT have a right to imperil me or risk my life for the sake of your ignorance, cowardice, or convenience. Expanded further, just like I can’t walk in to a theater yelling, “Fire!” under the protection of freedom of speech, you CAN NOT skip out on getting the vaccine or mask mandates because of your belief (acceptance of claims without evidence) OR faith (acceptance of claims despite evidence) OR religion (the codification of belief and faith).

I’m tired of people demanding their inability to accept reality to play second fiddle to that which consistently comports to reality to the exclusion of all other possibilities (what we call evidence). No, I will not sit quietly while you demand the country go through another Dark Ages. No, I will NOT pretend that your belief, faith, or religion hold ANY validity regardless of HOW deeply held, while you cower behind it imperiling my wife and my children.

I’m calling out your beliefs of convenience that are more strongly based on the selfishness, narcissism, and egocentrism, of what you BELIEVE freedom to be, rather than what it is. Freedom is NOT an excuse for idiocy. Freedom is not an excuse for cowardice. Freedom is not an excuse for ignorance.

…Life, liberty, and the pursuit of happiness

That’s the Declaration of Independence speaking. It’s in THAT ORDER for a reason. You CAN NOT have pursuit of happiness WITHOUT liberty. THAT IS TRUE. But it is NOT the ONLY truth.

YOU CAN NOT HAVE LIBERTY WITHOUT LIFE! Dead people have no freedoms. THE REASON freedom is fought for and people die for it is BECAUSE there is no difference between slavery and death. Slaves have nothing to lose by fighting for freedom.

Don’t call me a sheep while you are taking animal medications pretending that it is a better solution. You’re the only one acting with the intelligence of a barn yard animal.

WHAT ABOUT MY BODILY AUTONOMY?!?!?! Why don’t you accept that argument from women needing an abortion? Since you won’t accept that argument from them, violating Doctor patient confidentiality, and inserting yourself in a decision that not only has nothing to do with you, it’s already been legally decided by the Supreme Court, I won’t accept your hypocrisy in using it.

BUT THEY’RE KILLING BABIES!!!!! So is your ignorance, idiocy, and cowardice in not getting vaccinated. So no, I don’t accept this argument.

IT’S JUST THE PHARMACEUTICAL INDUSTRY MAKING MONEY!!! Because they make MORE money from the public getting two vaccine shots than they do from hundreds of thousands of multi week stays in an ICU? But that’s just the beginning. Many ICU patients die and family gets to pay. Pay for medical bills and pay for funeral expenses. That’s DEFINITELY cheaper than two FREE shots, right?

And you have NO rational, reasonable, logical argument. “I don’t wanna,” is the realm of toddlers. And I don’t care if you don’t want to.

I know the next TRUMPeting of a conspiracy is going to be, “oh noes, all the conservatives are dead cuz freedom required them to not get vaccinated and now the dead can’t vote…” so what? MOAR GERRYMANDERING! NO, BETTER, require a 3/5’s compromise under “the vaccinated are slaves to reality and we in our enlightened religion aren’t slaves and slaves only count as 3/5’s of a vote…”

Stop acting like an ass… horse… whatever, this isn’t “Animal Farm,” stop being a coward, grow up, put on your big girl panties on (whatever gender you claim), and get vaccinated.

Signed — An Army Veteran

Edit “But what about people that can’t get it for medical reasons?”

You mean people that HAVE a rational, reasonable, logical reason NOT to get vaccinated?

Amateur Radio Needs to Catch Up (pt.5)

scheduleJuly 3, 2021

This is a continuation of a series of articles recommending improvements for the Yaesu FT-2DR.

Get rid of everything on the right side of the radio and make it flat.

Starting at the bottom, the EXT DC IN must go. The USB 3.1 standard allows for 9 watts of power and data to use the same connector. Stop requiring connectors to do a single job. If it MUST be on the radio, make it do as much work as possible. Combine the data and DC power connector into a single connector, and put it on the bottom in the right corner.

Next one up, the MIC/SP connector. GET RID OF THIS. Have you NOT heard of bluetooth? Why are you requiring the use of cables in 2021? Make a MIC/Camera handheld device that is bluetooth based. Make the Mic rechargeable by having a micro USB connector on the bottom. This way it can use any phone charger, connect to a computer, connect to the port on the bottom right, etc. And while we’re talking about a camera, 12 MP. Period.

We’ve already talked about the Data connector.

Now we are down (up) to the microSD card slot. This is unnecessary. If the radio can connect through USB (which we’ve already addressed), make it so that the storage inside the radio is read like a drive on the computer that is connected. Then backup files, logs, and configurations can all be accessed directly. The software for configuring the device can read and write directly to the onboard memory. Since there is going to be a camera and applications, a minimum of 32 GB of onboard storage is a must.

With all that gone, we can now make the side flat so that someone can set the radio on its side and use it as a monitor (connecting a bluetooth keyboard). The power cable will not knock the radio over when connected. This makes the configuration field expedient and functional.

Amateur Radio Needs to Catch Up (pt.4)

scheduleJuly 2, 2021

Android

This is a continuation of a series of articles recommending improvements for the Yaesu FT-2DR.

Add a computer to a handheld and make a SmartHT™. Use Android so that people can use the mountain of already available Android software. They can edit/resize photos, create/edit documents, log, track satellites… This would become the most common radio in the field during emergency exercises.

73 - WN7ANT

Amateur Radio Needs to Catch Up (pt.3)

scheduleJuly 1, 2021

Tri-Band

This is a continuation of a series of articles recommending improvements for the Yaesu FT-2DR.

Time to add 1.2 GHz. Why? Data speeds. This radio must be able to handle 256kbps data speeds to other radios, repeaters, and nodes. This can be done using C4FM and 128K baud transmission. Using this speed, a 12 MP JPEG (average 5 MB) could move from one device to another in 20 to 30 seconds.

73 - WN7ANT

Ultralight Backpacking and Bushcraft (pt.2)

scheduleJuly 1, 2021

Another group of enterprising individualists call themselves Bushcrafters. If they do not have it with them, they can make it or improvise. They bring tools to the outdoors. They build a place to sleep, capture/hunt/forage for food, and pride themselves on their knowledge of technique for doing it themselves.

Tomorrow, we start comparing and contrasting…

Upgrading the Prusa i3 MK3S to a 3S+

scheduleJune 30, 2021

I got the upgrade for my Prusa i3 MK3S. Since I needed to tear down the extruder anyway I included a Copperhead heat-sink from Slice engineering. The thing I’m looking forward to today is getting this functional again. Looks like this right now…

This started life as a kit that I assembled. It’s the second tear-down/rebuild while I’ve owned it. I figure if I can build it I’m qualified to repair and upgrade it.

Ultralight Backpacking and Bushcraft (pt.1)

scheduleJune 30, 2021

There are many forums that address Ultralight backpacking. A common concept you will find is reducing your pack weight to 10 pounds (4.54 kg) to achieve the moniker “ultralight.” Another is not bringing the kitchen sink. The idea is to take only what you need and will use. Many try to turn this into, “leave important stuff at home.” Only idiots do either of those things. Nowhere in UL backpacking is anyone ever told to leave a first aid kit at home, forget those prescribed pills, or not bring a map because it weighs too much. These are myths told by people to support their need to bring the Kindle, iPad, Android phone, radio, TV, and… kitchen sink. They love their sixty pound packs for a three-day hike.

Tomorrow…. The other side of the story.

Madness

scheduleJune 30, 2021

A sure road to madness is debating that individual that believes ignorance and irrationality are to be respected as opinions.

Amateur Radio Needs to Catch Up (pt.2)

scheduleJune 30, 2021

Touch Screen

This is a continuation of a series of articles recommending improvements for the Yaesu FT-2DR.

It’s time to use a capacitive eInk touch screen that is the full size of the front face of the radio (minus the speaker). Get rid of all buttons on the front of the radio. Raise the resolution of the screen (800 x 450 minimum). That is a 16 x 9 ratio, yielding a 2 x 3.2 inch screen size. With capacitive touch, you can be wearing gloves, and it will still respond. There are color eInk screens that refresh fast enough to show video. Use one.

73 - WN7ANT

BeatStep Pro MIDI Controlling the Gotharman’s SpazeDrum

scheduleJune 29, 2021

Connect the BeatStep Pro to a computer using a USB cable. Open Arturia’s MIDI Control Center. Make sure the BeatStepPro is selected under Device. On the left side under the Project Browser window, select Default under Factory Project. In the upper right-hand corner, select the Device Settings tab. Scroll down. At the bottom are the settings for the User Scale. Scroll up directly above that to Drum Map.

Select a custom Drum Map (click the dropdown). Once that is selected, set Pad #1 to 48. To the left of where it says Pad #1 MIDI channel there is a box with a number in it. Click in the box and change it to 48. Go down the column below the number 48 and set each pad to an incrementally higher number. Starting at 48 you should have all 16 pads correctly numbered when you get to 63.

Once this is set, select Export in the upper right-hand corner. Create a file named SpazeDrum. Now you permanently have a file with settings configured to use your BeatStep Pro with your Gotharman’s SpazeDrum.

Arturia BeatStep Pro, powered by the Gotharman’s SpazeDrum

scheduleJune 26, 2021

I MIDI connected my Arturia BeatStep Pro to my Gotharman’s SpazeDrum. I am powering the BeatStep from the USB port of the SpazeDrum. As stated in the previous post, the analog audio out from the SpazeDrum connects to the first two channels on the BlueBox. Select the Drum channel on the BeatStep (the purple channel) by pressing the button labeled DRUM in the bottom-left corner (approximately). Then press and hold the CHAN button on the BeatStep. The purple LED in the sequencer row lights up number 10. Hit the EDIT button on the SpazeDrum and select SETUP (by tapping on it on the screen). Select COMMON in the next screen and the SpazeDrum displays Chan 1. Adjust it to Chan 10 (to match the BeatStep Pro) by rotating the knob labeled Edit2. Exit back to the main screen.

The G#, A#, OCT-, and OCT+ pads activate the first four buttons (DrumOsc, Filter, EFX, VCA) of the sequencer on the SpazeDrum. No other pads seem to activate anything yet. This is a step in the right direction. Looking at the settings for those four pads in the Arturia MIDI Control Center will provide answers for what needs to change. The expected action is that the top four left pads of the Arturia BeatStep Pro activate the first four buttons of the SpazeDrum sequencer.

BeatStep Pro powered by SpazeDrum USB port and connected using MIDI cables

Amateur Radio Needs to Catch Up (pt.1)

scheduleJune 26, 2021

This is one of my favorite handhelds. I am partial to Yaesu, because it was also my first handheld. When I was originally licensed 17 years ago, I got an FT50. Since then I have owned a VX-6, and this.

The FT2D is Yaesu’s handheld foray into the world of digital modes. This handheld uses C4FM. It can connect directly to other handhelds, nodes, and repeaters using digital modes. It can transmit voice and data simultaneously. The people you are communicating with can know who they are talking to, where the person is, and even see what is going on (camera mic attachment).

As neat as all this is, I hope this radio is just a proof of concept. This series will list the must have changes that need to happen in the next iteration of this radio.

73 - WN7ANT

The State of Colorado is responsible for the current rash of fraudulent unemployment claims in the…

I discovered somebody had filed for unemployment insurance using my identity. As a security professional I’m pretty cognizant of usernames/passwords, reuse, complexity, etc.

So I was curious how someone could have filed a claim in my stead.

First, they would go to cdle.colorado.gov., select returning claimants, then click on MyUIClaimant.

Next, when the website pops up, they select, “I forgot my username.” They populate the Email ID with an email address of a Colorado resident and…

Well, actually if they know scripting at all they could use a tool like burpsuite or CURL.

Anyway they populate the email ID and FOUR DIGIT social security number check with 0000. And then they have a computer script (trivial to put together) do the other 9999 possibilities. After a few seconds they have identified the UserID based on the email.

Then they take the email address they just used, with the last four digits of the SSN and do the same thing to get the password.

The attacker logs in to the account with the log in and password of the victim provided by the State of Colorado and changes the email address to one the attacker has access to. Then they force a change of PIN number to be sent through regular mail to the victim.

When the victim receives a PIN number they didn’t request in the mail goes to the Colorado State Website to have the virtual assistant help with changing the PIN number.. Several questions are asked. The victims SSN, their birthdate, their zip code.

And after the victim provides the Virtual Assistant all of this information to verify their identity…

The State of Colorado sends the new PIN number to the attackers email address instead of mailing a new one. The attacker can now access all of the victims personal information.

Thanks, Colorado. I appreciate you sending all MY personal information to…

I guess it doesn’t matter who you sent it to, not like you would know.

So what can I do about this? Nothing. Colorado’s unemployment office is so backed up, a human won’t interact with you on the phone. They are scheduling calls a month out. The system is so backed up it’s not scheduling more calls. Call the local police? The detective responsible for fraud investigation is on vacation. Call the state department of labor? They won’t answer the phone and it doesn’t go to voice mail.

So, here is how you will have your identity stolen if you live in the state of Colorado. I tried to provide this information to the State, but no one gives a damn. As a Colorado resident your personally identifiable information is of no concern to the state.

Doom Eternal: Botched all to Hell

scheduleMarch 21, 2020

Are you really surprised by that title? Let’s review the blunderous release and negative impact on ENTIRE GAMING RIGS for 5% more FPS…

I “pre-downloaded” Doom. Once it was installed my Steam client (because installing game without a company getting their hooks in your data isn’t a thing anymore) informed me that I’d be able to play this on the 19th of March. So, I tried all day. That was wrong.

Okay, the 20th hit. Oh look, I’m able to play. Well, that was the release date, so no harm done. I played for half an hour and liked what I saw. I have a 4K HDR monitor and an AMD 5700 graphics card. The rendering was glorious. I set the screen resolution to 2k and locked the FPS to 60. I was in heaven… hell…. Wherever I was supposed to be. I was SO THERE!

Then there was an update to Doom Friday evening. Wow, okay, let’s get that installed.

Once done, I hit play and…

“You need to update your Adrenalin drivers to 20.3.x” I can no longer play Doom because it demands that I use updated drivers.

Okay, I drop in the Adrenalin driver front end and an hour later..

1%

For a 400 meg file. It errored out because bandwidth was so constrained from the source… and of course it was. Everyone that was playing Doom with an AMD card was updating their drivers too…

So I jump over to the AMD website and try downloading the Adrenalin drivers. The whole package. It starts…

And informs me it’ll be two days.

I go to bed frustrated. I remember playing Doom on a 386. The day it came out. For hours… weeks… months… straight.

When I wake up in the morning I check the Adrenalin download. It errored out, because of course it had. So I restart the download.

Twenty mins later I have the drivers (6 a.m. Saturday morning). Now we’re in business…

Except that when I double tap the file Windows defender protects me from myself because why would I want to run an executable? I check a box and tell it to install anyway. Windows 10 then informs me “it’s not a Windows file.” Of course it is, I selected the Win10 download from the site, it’s an executable, and you tried to protect me from running you ignorant…

I try right clicking on the driver and install as Admin. Now Windows tells me it can’t find the file, though I can see it right there in file explorer.

Frustrated as hell at this point I go back to the Adrenalin drivers and tell them to update again. This time the update runs, and installs. Guess the driver can circumvent the Win10 bullshit. Thankfully the driver installs. Finally, I can play Doom.

I click Play and…

Let me translate this for you. I have been provided drivers that will give me 5% more FPS, something I don’t benefit from in ANY WAY because I locked the FPS at 60, in exchange for playing ANY games in HDR. This means I CAN’T play Star Wars Jedi:Fallen Order in HDR anymore.

Before the update everything worked great, after the update I have to give up EXPECTED FUNCTIONALITY.

To ID, to AMD, I say fuck you, you thoughtless imbeciles. WHY would you make a game REQUIRE me to update to buggy drivers that negatively impact MY ENTIRE GAMING EXPERIENCE? No a 5% boost in FPS is not worth LOOSING HDR. And the fact that I get to be a victim of that stupid, instead of chose what works best for me….

What Information Security is Not.

What Information Security is Not.

Part 2 of an infinite part series

“You realize I’ll have my certification in six weeks.” I’ve heard this before. When I worked as a technical trainer in InfoSec the manager of the school said that he had, “sat for the class for that certification.”

So?

Earning a certification is a starting point. It shows that you have at minimum a certain set of knowledge. It is not the ending point where you get to say, “gee, my certification grants me authority…” An argument from authority is still an argument from authority. And since it seems that it has to be said, no, sitting in a class for a certification is not the same as taking the test and passing.

Imagine for a moment you are about to make an appointment with a surgeon for routine surgery. Your choices are someone that is going to have their medical license in six weeks, someone that has “sat the classes,” or someone who’s been licensed for six years. I know who I’d go with.

The facts are that a test only shows what you know at a given time. The certification is a way of showing that you have in fact demonstrated MINIMUM competency. Too often it’s treated as though it demonstrates MAXIMUM competency. You’ll find articles that decry the value of (insert said certification here) as useful or valuable.

The reality is this. Your certification has the value you provide it. You either build on it, or let it turn fallow. A certification is not like a degree. A degree shows that you can jump through hoops to peoples satisfaction. A certification shows that you have knowledge. Sadly, degrees never expire. Certifications can expire if you don’t update your knowledge base with continuing education units.

It’s no wonder that certain certifications in my field count towards half a Masters Degree. The Masters Degree counts towards… nothing. But it sure looks good with all that alphabet after your name, doesn’t it? Don’t worry, I’ll have my Masters degree in a year… or two.

Next time we’ll complain about the Ford Edsel, and the lesson it taught that security ignores.

Difference?

There are many graphics running around FaceBook at this time of year answering the question, “What’s the difference?” It seems there is much confusion around Memorial Day, Veterans Day, and Armed Forces Day. Why do we spend so many days of the year honoring the same people over and over?

There is a huge difference you will be told. “We have to understand that this is not that, and these are not those.” This is the rally cry of explanation, separation, and difference. So what is the difference really?

When I was 17 years old I had few prospects after high school. No one was rushing to send a person that “graduated” in the bottom ten percent of their class a college education. I knew no trade, and no one was willing to invest in me. I was white, I was male, and if I did not know what I was doing the day after graduation, I would be homeless.

Originally I thought I might join the Air Force. Then I met an Army recruiter and my thinking changed. I was guaranteed to be trained for a specific job. This meant I could select something that I could use in the civilian world. The Army would invest in training me into a trade, and I got to pick it.

After listening to the recruiters “sales pitch,” I thought. It seemed that everyone has a blank check when they get out of high school. I was being asked to sign my blank check, in its entirety, over to Uncle Sam. This blank check was for the value of a person, up to and including… their all. I could be called on to die. My parents reminded me, that this was my choice to make. I could choose not to sign over the blank check.

If you chose to sign over your blank check to college for a time, or to a trade school. Or over to waitressing, or being the person that fixed my car, thank you. I really mean that, it means a lot to me that when I needed my car fixed, or dinner, I had someone to count on. If you do your job well, and make it so that I don’t have to do it, trash person or journalist, thank you.

I chose to do with my blank check the thing I thought mattered most. I invested in every citizen of this country. The war monger and the pacifist. The CIS gendered and not. Men and women. The practical and the dreamer. I wanted to be part of the reason that they all had a chance. I wanted to protect everyone else’s right to choose for themselves, because of how important that choice is to me.

I wanted to ensure that everyone in this country had the same freedom I did, and do. I knew that to ensure that could happen, people like me needed to hand over a blank check. So, like many before me I did exactly that.

I received an honorable discharge on October 11th of 2000. While I was in the Army, friends died. I went to funerals. Thankfully there are still those in the military working to offer me, my wife, and daughters freedom. “Rough men stand ready to do violence on my behalf.”

What is the difference between them and me? “But for the grace of god there go I.” What this says is, I was not in control of what happened, and it is little more than luck that I can write this. Someone had to go, they drew the low card. At the end of the day, we had the same training, and I was not a “super soldier.” That could be me in eternal rest.

As for being in the military, my time came and went. I am an old fat man now. I rant about politics. Complain about policy. I have trained service members. I get to sleep at night.

So on Memorial Day, or Veterans Day, Armed Forces Day, or whatever day it is. If you look at the similarities these three groups have, instead of the difference, and walk up to one of us and say, “Thank you.” I’ll say “You’re welcome.” But I offer you this, the best way to say thank you to me, and any member of the armed forces living or dead, is to sleep well.

The usual, “compare X to cars,” argument

scheduleJune 11, 2019

I am an Army veteran. I enjoy shooting. I have a CCP (Concealed Carry Permit). I average a trip to the range every week. While there I spend a minimum of one hour using a firearm doing drills like drawing from a holster and shooting, picking up a firearm from a flat surface (table) and shooting, and shooting with my off hand. That means I spend a minimum of 52 hours a year training with my firearm. I average one firearms class per month (average length, one day). It’s even documented.

Dave Grossi is a retired police Lieutenant from upstate New York. He has served in multiple capacities as an officer. In 2017 he wrote an article about the training officers receive. He said, 

In reality, most police departments only train about two times a year, averaging less than 15 hours annually.

Soak that in for a moment. On average I do 400% more training with my firearms than police officers do.

Four times.

Now for some cars comparisons. “Guns are built to kill people and cars are built for transportation.” Interesting comparison.

In 2008 there were 304.1 million citizens in the U.S. 11,000 were killed with one of the 4,498,944 firearms. In the same year 37,261 people were killed with one of the 255,917,660 cars nationwide. 

Cowards in black robes

I have two daughters. One is 8 and one is 3. I once heard someone say that when you have children your heart walks outside of your chest. I understand what that means now.

On February 14th four people proposed a law in my state that does nothing to protect, and will harm with unintended consequences. Two Senators (Lois Court and Brittany Pettersen) and two Representatives (Tom Sullivan and Alec Garnett) have proposed to sidestep the Constitution. HB 19–1177 “Extreme Risk Protection Order,” does not provide protection, and does not eliminate extreme risk.

In fact on June 27th, 2005 The Supreme Court ruled that the police did not have a constitutional duty to protect a person from harm, even a woman who had obtained a court-issued protective order against a violent husband making an arrest mandatory for a violation. To be clear, police are NOT required to place themselves in harms way to protect you.

That’s right, the Supreme Court has already ruled on this. The police have NO Constitutional duty to protect. That means that the police have no Constitutional duty to act based on someone’s feeling, beliefs, best interpretation of reading tea leaves, tarot, or emotional response. It is up to individuals to protect themselves.

But here we are, with senators and representatives that assume they have the authority to ignore the Supreme Court and demand that police intercede on the assumption of a crime being committed instead of crimes that are or have been committed. Frightening powers are being handed to courts to hold secret meetings to hear one side of a case, and based on the opinion of someone making a sworn statement, that there is a threat, we need to circumvent the Constitution and act without regard to due process, and steal from people based on say so alone.

“But there is penalty of perjury,” you say. Not really. Not unless it can be proven that the person that filled out the form did not believe that the gun owner in question would actually commit the crime. Here’s the problem with that nonsense. Belief is literally accepting a claim without evidence. So what is being proposed is that people that are claiming something without evidence can decide to have the police violate Constitutional rights.

I swore to uphold and defend the Constitution the day that I became a Soldier. What would you have me do now? Politicians are choosing to follow a course of action that violates the Constitution. I’m not a Constitutional scholar, but in this case I don’t need to be one. I know that the Constitution is under attack by this legislation.

Am I expected to make a special case because these are legislators? Am I supposed to sit on my hands and do nothing while laws that negatively impact my ability to protect my children are proposed? I have an ex-wife. We divorced two decades ago. She has lied to judges before, they knew it and did nothing. Cowards in black robes will not protect us from poorly thought out laws. They have no incentive, AND THEY HAVE ALREADY TOLD US WE ARE RESPONSIBLE FOR OUR OWN PROTECTION.

So what am I supposed to do? While bad laws are being written and proposed, what am I supposed to do? I am a skeptic, an Atheist, and a disabled vet. What do you expect me to do, when the police show up at 5 a.m. raising a ruckus, and I’m bleary eyed and confused and show up at my door to protect my family, armed because of the amount of noise, and on the other side of the door are jack booted thugs bent on wiping their asses with the Constitution?

What do you expect a law abiding gun owner, with a wife and two girls expecting to be safe in their home from unreasonable search and seizure to do? They have already executed one individual with a red flag law. Who would think after something so tragic, that it needs to happen in Colorado? What is it about this summary execution that these four individuals (Lois Court, Brittany Petersen, Tom Sullivan and Alec Garnet) liked so much they want to see it happen here?

How you make it difficult for me to enjoy a public performance (I’m looking at YOU Chris Rock)

Ten years ago I received a prescription that changed my life. I am a 43 year old disabled vet that has been diagnosed with Attention Deficit Disorder. I have spent twenty years looking for the drug (under the supervision of a psychiatrist) that will give me that, “I’m normal now,” feeling. I tried many pharmaceuticals and have met with limited (no) success.

If I were to describe Attention Deficit Disorder it would translate to the familiar refrain, “capable of better and or more work.” My life is a story of missed opportunity, wasted energy, and spectacular failure. I am, by some accounts, my own worst enemy. I have had an average of two different employers each year for two decades.

The problem I have is one of executive function. I have been told something that I WANTED to know, and five minutes later can’t remember what was just said. I can make plans that sound completely reasonable, and fail to follow through because… I forgot. I can create exceptionally. My IQ was tested, it’s a non-issue.

When I heard of someone using a prosthesis to remediate the problem, I was intrigued. If I could find something that made it possible for me to interact with people in a manner that made them comfortable, did I not owe it to the people that matter to me? Should I not at least TRY this revolutionary device in the hopes that I would be at least average?

The psychiatrist that was attending me wrote a prescription for a “digital assistant.” It could be a tablet, a phone, or any other type of device that would assist me with executive function. I was elated. The ensuing decade has been amazing. I have done things that I could not have done, because I could not have followed through.

Now I discover that there need to be “smart phone free” zones. I can’t enjoy a public performance because I NEED to have a device with me. That people think they have all the answers on how I REALLY need to solve my problem, if I just did it their way, is both demeaning and insulting.

So I ask, could someone explain it to me like I’m seven, so that I can explain to my seven year old daughter why dad can’t take her to public performances?

How you have layered security wrong and what it will cost you

I’m going to provide a simplified example of what layered security isn’t. Let’s assume you want to put up a physical wall. The technical term is “barrier,” but let’s use wall to keep it simple.

You start calling contractors and let them know that you are interested in having a wall put up. You schedule a meeting with three different contractors to hear their sales pitch. The first one shows you a picture of what you expect a wall to look like, the description matches what you expect a walls description to be, the material and thickness meet your needs.

The second contractor uses what appears to be the same graphics in their presentation. However, the contractor points out that their wall is actually two walls that are half as thick as the previous contractors wall. They tell you that this is because they implemented a security practice called “layered security.” “This improves security because if the first layer fails, you have a second one.” Everything else is the same, total thickness of the material, material used, wall height, etc. Except for the price of course. They charge twice as much for their wall.

The third contractor comes in and has a unique graphic that catches your eye immediately. They have a wall that is half as thick as the first contractors. Theirs is made out of the same material as the first contractors. They also have a line splitting it showing that it is “actually” two walls too, they’re just touching like the second contractors.

The major difference here is that they have another separate wall, well, not a wall exactly. It’s a chain link fence. They also tell you how important layered security is. They point to the fact that they have three layers, and even have a unique outer layer of security. They of course present the most expensive wall solution at four times the cost of the first.

Ladies and gentlemen of the jury, if I asked you based on this story what you thought of “layered security,” what would your answer be? Would you respond, “that seems brilliant?” Would you exclaim, “this seems like the emperor has no clothes?” Would you ask how you could get hired by the third company?

This is a common problem with people new to Information Security. They mistake “layered security,” also called the “security onion,” for what I have described above.

I could tell you a story about another company that builds impenetrable walls, because their walls have infinite layers… that are infinitesimally thick. But, they’ll tell you that it’ll take an infinite amount of time to get through them…

Instinctually, you know that something is wrong here. And you’re right, there is. Let me build a comparison example, and we’ll see what the difference is so that we can understand what layered security is.

At the last minute you meet with another contractor. They show you that they too will build the same wall as the first contractor does. Same height, same thickness, same material, same craftsmanship. “Well, okay, but I already have that option?” “We also include an alarm system that will alert you of any damage to the wall, or if anyone goes over it.” They tell you that the total system costs as much as the second contractors.

Now how do you feel? If security was the deciding factor, not money, would you purchase this “wall?” Why?

Layered security is often confused with redundancy. That was our third example. You actually have two walls (one is a chain link fence). They both exist at the same layer, and both function similarly, though not exactly the same way. If one fails, you expect the other to do the job the first failed at, but again, do the job a similar way.

What that last example gave you was security done a different way. If I were applying this design to network speak, I’d have a firewall with a SEIM. A firewall and a SEIM don’t operate at the same layer, don’t function similarly, and don’t require the existence of the other to function at all. Yet when used in concert, you have…

Layered Security

The term, when used correctly, describes an important concept. When the term is used incorrectly it provides a false sense of security and is an effective way to waste time and money.

The value of your CISSP

Declaring the CISSP a “foot in the door” certification is to clearly misunderstand its purpose in todays Information Security Environment. The problem with the CISSP is not the certification per se, but rather the misunderstanding of what it is, what it is for, and what it documents.

The fact that there are people that do not take this certification seriously says more about the people that joke about it, than the people that hold the certification. Is this a certification that should be taken seriously, absolutely. “Average” people study for a year before they take the exam. The test is a grueling 6 hours. When one has taken the test and passed, you feel like you have accomplished something. This is because (after hitting every place I could find on-line) first time failure rates may be as high as 70% to 80%.

There is a claim that the material is worthless to 99% of people involved in information security. I find that claim fascinating as I have actually been responsible for fire extinguishers, fences, and lighting. Here is the first misunderstanding that needs to be corrected. This certification is for MANAGERS in information security. Think operations managers, project managers, or even attorneys. These are the people that need to understand why things work the way they do and the terminology that is used, but do not need to worry about doing it themselves.

The CISSP relies on experience instead of requiring demonstration of hands-on skills. This is because the certification is designed for people that will be leading the implementers. The reason that you need to understand the concepts is so that in communication with those that speak technojargon, you can translate correctly what is meant, and why. Everyone in middle management that is responsible for IT should be required to have a CISSP. Upper management should consider specializations. To claim that tangible “real” skills are the only thing of value is to miss that an army of workers with no direction accomplishes nothing. The CISSP can bridge the gap between an MBA and the IT security team they run.

If you are of the opinion that this cert is not what you want in your IT sec team, then find the one you do want. Select a vendors security certification. Cisco and Juniper have many to choose from. These certifications are outstanding for implementation. Need to certify someones ability to do a vulnerability test? How about an OSCP? Instead of demanding that ISC^2 destroy this test in lieu of another test that already exists, why not correct your view of what this test represents?

Why would someone be proud of their CISSP?

  • Studied for a test instead of watching TV.
  • Took and passed a test that most people fail their first time through
  • You have documented that you have at least five years of related experience
  • It can count as a significant portion of a college degree
  • It documents a standard that you have achieved
  • You can assist people in the same accomplishment

People, your understanding is broken

HR offices know little to nothing about the breadth and scope of information security. The people that work there are not required to understand the intricacies of what a particular certification means. The people that contact HR and request an employee determine what certifications are required. Arguing will not get you much.

As a CISSP keep in mind that you have more to learn. It should not be your only certification. If you earned your certification from a brain dump on line, you are part of what is called the paper tiger brigade. These are people with certifications that do not understand how to apply them. Examples are; Cisco Certified Network Professionals that have never touched a router, CHFI’s that do not know what tool to use to recover a file on a Linux box, Network+ holders that can not even subnet. Paper tigers reduce the value of the certifications they misrepresent.

So do what do I propose?

We need to document people that are paper tigers. When you hire one and discover they can not do the job, there should be a reporting mechanism to identify what the discrepancy was. As this individual moves from employer to employer there would be documentation of issues. If there are enough issues, the certification should be pulled. This way we can eliminate paper tigers that affect all valid certification holders by bringing down the value of the certification. Instead of demanding destruction of certifications, we should make sure we understand what the certification certifies, and be willing to document undeserving candidates.

The decline of media, and why you won’t read this

If you’re in your teens or twenties you won’t read this. Your reaction will be “ew, a wall of text.” If you’re in your late twenties or thirties, you won’t read this. It goes against the socially “correct” position to have, even though what it asserts is factual. If you are in your late thirties to four times, you won’t read this because it doesn’t fit in your echo chamber. If you’re in your fifties or beyond, you won’t read this because you know better. But you don’t.

I sat and read an article from a media distribution outlet today. One of the big news companies posted an article about… well, it doesn’t really matter. Because this article, like most of the articles that you can find on-line, suffered from not having a human read it before it was posted. Words were missing from sentences. Incorrect homonyms were used. In general it was the usual, “slap it together and get it published.” Usage of English be damned, to hell with fact checking, get it out there.

CNN published an article by Michelle Lou and Brandon Giggs on April 2, 2019. The article talks about bridges in the United States. Just one of the MANY errors in the article:

Structurally deficient means that one of four key elements of the bridge is rated at 4, which is poor, or below.

Below what? Below standards? Anyone that speaks English natively would immediately detect that error. What this demonstrates is that CNN cares so little about its consumers, that it’s okay to skip the editing process, throw shit at you, and expect that this is acceptable.

Make no mistake, CNN is not the only organization that does not care. Not a day goes by that articles from ever news organization, written by “professionals,” has GLARING oversights in the quality of the work produced. It is NOT expected that professionals will be perfect. It IS expected that professionals will find their errors and correct them, BEFORE publication. Fox, MSNBC, Washington Post, it doesn’t matter. I can provide examples from any of these outlets.

 

Damned if you do, damned if you don’t

The empty cloud

On August 6th, 2012 an article was published in Wired magazine by Mat Honan. In the article, he relates how the accounts he uses on line were destroyed over the period of an hour. First, he lost access to accounts in Google, then Twitter, and finally his AppleID was compromised. Mats Amazon account was a connecting link between Google and the AppleID.

To hear him tell the story the damage done to his on-line presence was preventable. Mat knew better, but still did not use multi-factor authentication, or on-site backups. He then continues to talk about how the hacks happened. Someone got into a service (Amazon), harvested data from them (last four digits of his credit card number), and used that data as an identifier with the next service (AppleID). Each service had different identity requirements, and treated identity information differently.

The reports of this attack were scathing. Tech blogs posted how-to’s helping users identify if they were effected. This was negative press, and no company wanted it. Initially, Apple suspended phone password resets. This gave Apple time to reevaluate their security policy. They realized they had a problem, and moved to fix it. Two months later they announced what measures they were taking to protect their customers.

Fingering you

In September of 2013 Apple announced a new iPhone, the 5S. It had hardware that could read a person’s fingerprint, and use it as a form of authentication. This change required a redesign of the hardware. No longer was security a function of just software. The phone could measure a physical attribute and determine if the use of the device were authorized.

And this changed everything. Under the hood, Apple had to ensure that all components that amassed information (all the little bits of hardware, from the fingerprint reader, to the storage location, to the processor) were legitimate. If someone stole an iPhone, the thief could open it and replace components. A simplification of the way the system prevents this from working includes reading unchangeable identities of the components. The name of this system is the “secure enclave.”

Apple started its iOS security at the hardware level. They also changed the way that iCloud stored information. Apple removed themselves from the security equation. They replaced components of their iCloud security with one way functions. This means that even Apple does not have a back door to the information you store with them. If you lose a password, access to your account by Apple is prevented mathematically. This means that law enforcement does not have access either.

“You can’t please all the people all the time.”

Apple took actions to protect themselves and their customers. The move started at the hardware level, swept through changes in the software, and was accentuated by changes in policy effecting iCloud.

They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. — Tim Cook

Customers applauded. Customers cheered. Then the updates came, and customers did not cheer so much anymore.

Error 53 first showed up around February of 2016. The unrecoverable error code shows up in iTunes when updating an iPhone to the most recent release of iOS. During the update the software identifies that a piece of hardware has changed. Maybe you took your phone to a repair shop not authorized by Apple. Maybe your cousin Frank fixed your phone for you. Maybe you wanted to save a few bucks and had your next door neighbor fix your phone.

What you will see, is this:

Apples explanation:

If your iOS device has Touch ID, iOS checks that the Touch ID sensor matches your device’s other components during an update or restore. This check keeps your device and the iOS features related to Touch ID secure. When iOS finds an unidentified or unexpected Touch ID module, the check fails. For example, an unauthorized or faulty screen replacement could cause the check to fail.

You can trust me, honest.

What, exactly, is Apple trying to protect me from? The name of this type of attack is man-in-the-middle. If I can see you when I communicate with you, I can establish that most likely communication is going directly from me to you. However, if we are in separate rooms, and someone has to carry a message from me to you, they may tamper with the message after it leaves my hands, or before it gets to you. To prevent this from succeeding we have to reach an agreement on a method for establishing that what I send, is what you receive.

So why are we worried about this in a phone? Assume someone steals my phone. The hardware inside the phone is connected together using wires. The fingerprint sensor is in a different room than the processor and the memory that compares what the sensor sees to a stored value. I could remove the fingerprint sensor and attach something that repeatedly tries to send the correct pattern of ones and zeroes until I get into the phone. This “brute force” attack is not elegant, but it is possible.

What were the publics reactions when Apple accounts were easily hacked? Class action lawsuit; of course. Right down to violations of the Magnus-Moss warranty act. Now, that we have fixed the problem, and secured everything down to the hardware level, what is the publics reaction? Class action lawsuit; of course. It is expected that the Magnus-Moss warranty act will rear its ugly head again.
 
 At the beginning of this story, Apple was guilty of providing people what they wanted, instead of what they needed. At the end of the story Apple is providing people what they needed instead of what they wanted. What is the result for the consumer if they fall victim to error 53? The customer buys a new phone.

Episode V: The Inquisitive Tykes Back

scheduleJuly 13, 2015

In this episode Princess Abigail returns to the Denver Mini Maker Faire. She hunts desperately for R2-D2. As our intrepid young princess enters the faire she finds R2 serving drinks again. It appears astromech droids make for good bartenders, who knew? The work done on this conversion is… stunning. This IS the droid she’s looking for.

Princess Abigail has been looking forward to this Maker’s Faire since she attended her first one, THE first one in Denver last year. You can see the record of her adventures here. She was excited to build a project at the SparkFun booth. When we found it, she was disappointed to see that there was no Simon or watch project to speak of. Her Jedi guardian informed her this was likely due to a lack of space for such an undertaking, and potentially a reality of the economics of this side of the galaxy. She enjoyed the FLIR demonstration, the “printed” circuits, and digital synthesizer.

The Nerdy Derby was exciting to watch, but the impatience associated with being four prevented the princess from committing the time necessary to enjoy the derby itself. Her Jedi escort informed her that he would be able to acquire the vehicle blanks and 3D print the parts needed on his prntrbot. They could have their own nerdy derby, and the parts could be whatever colors she liked (and even made to look like My Little Pony).

Next she would be afforded the opportunity to make a “musical instrument.” After assembling it from hanging file folder bits, some paper wrap, masking tape, and rubber bands, she was able to reproduce… the mating call of a bantha? Well, it made noise, and at her age, noise was acceptable.

The synthesizer petting zoo was delightful. Many times she asked if she could acquire such goods to take back to her star system. Her Jedi escort reminded her that they were there to experience the entire Faire, and not just loiter at one particular location.

DenHack was the next booth that gave her and her Jedi escort pause. To understand the engineer there (identified as Radio Shack), this demonstration was one of using cheap stuff to produce an expensive simulation. There was an entire ships bridge constructed from inexpensive tablet computers, connected to an inexpensive laptop, producing an amazingly realistic view of a starship in space. The unique component of this demonstration was that the different positions were required to work together to accomplish tasks.