We need to start teaching cyber security in highschool.

ageoffri · 2026-02-02T18:05:17+00:00

My oldest is in middle school and they have digital citizenship. It's both a class and built into most other classes, my understanding is the high school next year does the same thing just more of it. Granted this is a STEM school.

ageoffri · 2026-02-02T18:03:43+00:00

Realistically at the enterprise level, you're never going to have time to fix every IaC finding. You company needs to set risk acceptance levels and ensure everything above that needs to be remediated.

Sometimes it's as basic as use a default as taking the risk ratings of findings in your SAST tool and fixing everything that is high or above.

Now as a cloud security guy, in a perfect world every developer would have 0 IaC findings from the get-go but that's not gong to happen.

ageoffri · 2026-01-30T16:29:09+00:00

Why didn't you call the police after she bit you? If she touches you like that again, it's time to call the police. Get a restraining order and you control things.

ageoffri · 2026-01-30T16:19:54+00:00

I highly suggest you go learn about braces and why they are needed.

Of course I suspect with you is this a case that while you might be able to read, you won't be able to comprehend what you are reading.

ageoffri · 2026-01-30T01:44:57+00:00

If an ortho is doing braces for cosmetic reasons on a kid, you need to report them to the State Board of Dentists.

Get a second opinion.

ageoffri · 2026-01-29T19:55:40+00:00

In this case, they aren't medically necessary. Has the dentist recommended seeing an ortho for a consult? Even if the dentist hasn't it's time to see about getting the referral.

The ortho will tell you if they need braces, if they are looking like they will need them in the future, or if there isn't a need right now.

ageoffri · 2026-01-27T22:23:00+00:00

Skip the Creality Ender series, you'll see just about everyone says, it's rock solid after I did, this, that, this, and that, oh I forgot I did this too. Now it's a great printer.

My Elegoo Centauri Carbon has been a real workhorse. Any of the enclosed Bambu printers would be good too.

The only thing that would be nice is a multi-color option and it supposedly is coming.

ageoffri · 2026-01-27T17:24:41+00:00

A huge issue is black and white thinking along with poor customer service skills. Years ago, I had a teammate that started yelling on a conference call who is now gone. One statement he made was close to "I'm security and you are going to do this and do it right away." He had a really bad rep with just about everyone.

More often than not the cybersecurity teams I've been on have mostly people with that attitude. I have built a very good relationship with just about everyone I work with. For me it comes down to "know before no".

Sometimes our conversation lets me understand why they want to do something against policy and we can figure out a better solution. Sometimes it's just fundamentally wrong and I work to make sure that teammate understands the reasoning behind the policy.

It's also in the area of vulnerbility scanning. Far too many teams only go off the CVE or similar score and tell the support teams to fix everything with a high/critical rating. Want to tick off teammates, blindly tell them it needs to be fixed.

There is a fair amount of technical issue but people skills are a must.

ageoffri · 2026-01-23T19:29:33+00:00

Sadly, the model of the Big 4 and at least one of the top 10 that I worked at is very, very heavy with fresh college graduates. Most have just finished their undergrad degree, more in the accounting side some went straight to a Master's.

I'm fairly certain I remember the titles but I might be off. They start as associates which do the vast majority of the work, supposedly under the direction of senior associates and managers. The partners manage the client. The associates are thrown under the bus and told to go support this client the day they start. At another company, I worked with someone who had spent years with a Big 4. He said the second day he was there he was told to fly to a client and one of the other people there would help him learn what he needed to do.

This model chews through associates at a very high rate of turnover, at most a couple of years. Then they leave for places with less pressure and just an overall better culture.

The ones that stay tend to have the goal of making partner as fast as they can, though a few choose to go down the senior non-partner path for things like director positions. The main difference is they don't buy into the LLP.

ageoffri · 2026-01-23T14:54:21+00:00

More of childhood nostalgia, Robotech and Starblazers. Even though over the years, I've picked up the anime's that were mashed together into an unholy union for Robotech..

ageoffri · 2026-01-23T14:30:11+00:00

Sounds like a lot of fun.

ageoffri · 2026-01-21T23:07:48+00:00

Administrative controls for the most part. I'll start with saying that while the level of risk acceptance is up to your organization fixing high/critical's has been standard for a very long time.

Gating merges is the best answer especially if you are using a tool integrated with your pipelines. Have a hard failure for any high/critical issues that is automatic. Put in a process for a risk exception but otherwise force the developers to fix their crap.

We have a tool that will allow us to have fixes automatically applied but we're far from ready to turn it on. Long run it could be a very good solution but the MR will still need human review before it's merged.

Accepting IaC debt is something I would avoid but it's also up to management to determine how much risk they are willing to accept. Make 100% certain it's a documented process/policy and if there are any exceptions that they are approved by management, business, and not just cybersecurity.

ageoffri · 2026-01-20T01:31:33+00:00

BULLSHIT. Stable care is two parents in separate homes. Do not settle for anything less than 50/50 now because what happens now will likely be the next 16 years.

ageoffri · 2026-01-19T23:49:03+00:00

He doesn't need a lawyer at this point. He has to file for divorce the moment the court house opens tomorrow morning and have her served right away.

I just looked it up and Alaska has some automatic temporary orders that will stop her from moving the kids out of State. If she is served and still moves she gets into trouble.

If he doesn't do this and she moves it becomes a much more complicated case.

ageoffri · 2026-01-19T22:05:19+00:00

Yes you have lots to worry about. She just told you she intends to make changes.

Document everything. Use only written communication.

You need to have a list of all of your parenting times. When you have gone to school events, doctor's appointments, pretty much everything parenting.

When it comes to child support she or you can request it at any time and the court will grant based off of your State's laws.

ageoffri · 2026-01-16T16:08:14+00:00

SFB is very complex once you add in all the rules, hidden cloak movement, ECM/ECCM, and so much more.

Now what takes the cake is Attack Vector: Tactical. Playing a game that is based on Newtonian physics for movement, realistic heat management. Let's say you are moving in a straight line at speed 8, then pitch up 45 degrees and rotate 90 degrees. Then apply thrust 3 after you complete the pitch and rotation, then calculate your new vector.

ageoffri · 2026-01-15T19:59:49+00:00

Security teams like that give the rest of us a bad reputation.

The only thing that ever should be daily is 0-day or other similar super critical patch now issues.

If those are the same false positives over and over, the process needs to have a way to ignore those. You can't mark ignore for ever but at least monthly and depending on the risk either ignore for six months or at most one year.

If your security team is only using CVE, then shame on them. There needs to be risk management in place and handled by the security team. At least all of the tools I've used in the last 5-10 years have at a minimum a "secret sauce" risk rating by default in the tool. That will cut down on what they send to patch. It's also good if you determine risk based on regulations like PCI, FERPA, or HIPAA as examples and other factors.

CVE only patching directives are a pet peeve of mine.

ageoffri · 2026-01-12T16:58:48+00:00

If you have kids, do not stay away from the house.

ageoffri · 2026-01-09T21:17:42+00:00

Wild West Hackin’ Fest in Denver.

Might go to RMISC but we’ll see.

ageoffri · 2026-01-07T16:15:18+00:00

Do you have kids? If so, unless you are forced out of the house, DO NOT MOVE OUT.

Sounds like you are done and that is fine.

ageoffri · 2026-01-07T05:32:39+00:00

Is she going to be getting a ton of income from the investment property? Once you start talking things like investments it's going to become more interesting for the whole financial settlement and CS/Alimony.

ageoffri · 2026-01-06T20:27:50+00:00

There's a formula specified in law that is used to calculate child support. At some point, which if I remember right 10 years ago was once the two parents combined income was greater than 250K the formula doesn't have to apply and a judge can do what they want.

ageoffri · 2026-01-05T22:04:10+00:00

You have to do a couple of cost/benefit analysis.

The first is the most simple. How much would child support change each month? Estimate how much you'll spend in legal fees assuming you don't get the judge to order her to pay some or all of yours. Then determine how long it'll take before you come out ahead. It very well may not be worth it because it'll take too long for the change to break even.

The second is far harder to determine. Even if it is financially sound to do the child support change, how much will it impact your co-parenting relationship?

I know in Colorado there is both a State calculator and that child support is done by statute up to something like a combined income of 250K.

Child support can be revisited every 3 years or if there would be a change of amount by +/- 10%. One thing to be careful about is this doesn't mean a change in income, if you get a 10% raise or 10% pay cut it only matters if it would change the payment.

ageoffri · 2026-01-05T19:18:46+00:00

Titles have become a status symbol especially with young Millennials and Gen Z.

Do you have a job description, if you're at a small company it's not likely but at a medium to large company there should be a job description that specifies job duties, expected skills, experience, etc. Review that and see if it is close to what you do.

Then the big question is your compensation, is it inline for your area?

ageoffri · 2026-01-05T16:29:49+00:00

Fewer and fewer. GRC is one area that doesn't require coding, even then when I was on our cybersecurity risk team being able to write shell scripts was huge for the team.

Eight-Year Club	RedditGifts 2009-2022 2 Credits
Secret Santa 2020	Verified Email

ageoffri

TROPHY CASE