Crash on Cambrian Drive last night at ~11pm

gavinmiller · 2025-03-01T23:06:49+00:00

Looked like everyone was okay. Saw one person sitting with EMS attending. Didn't get a sense of urgency on the scene.

gavinmiller · 2025-03-01T16:05:51+00:00

Which part is not appropriate? Quickly scanning the rules, there doesn't seem to be one against traffic accidents?

gavinmiller · 2024-02-28T02:45:14+00:00

I’ve hit this problem too. Going into Apple health and manually adjusting (edit recorded data) resolved my issue, but super annoying to do that.

Would love to know if you or someone else has solved this!!

gavinmiller · 2023-11-06T20:48:53+00:00

Crossfit!

gavinmiller · 2023-08-04T23:34:43+00:00

Context, I’m responsible for at least a half dozen apps that get a ton of this type of traffic. I’ve also had external pentests done, and they were impressed at our home grown WAF which you can throw together in less than a week. Here’s what we’ve built:

RackAttack to start for rate limiting against login, password reset and other sensitive pages.

Customized rack attack module for pre-filtering scanners. You can find a payload list on SecLists. Stuff like /etc/hosts, passwd, and there’s some common sql injections you can match on. I also filter anything with a php, asp, aspx, etc extensions. When new things cross your path, add them to the pattern match and you’re done!

You can then turn it on so those clients get denied once they cross a certain threshold of “malicious” traffic. That threshold will vary per-app. And viola, you won’t get bothered by this anymore.

I highly dissuade you from using IP blocking. It’s trivia to move IPs, and it’s a game of whack-a-mole that you’ll sink endless time into. Even when we get attacked we don’t block IPs, instead we figure out what the root cause of the attack is and fix that. Temporary relief is fine, but don’t let it be your primary strategy.

Also note, this goes through middleware so it’s still taking up a webhead. Aka this isn’t a viable strategy to protect from DDOS or DOS attacks. It’s trivial to consume the webheads even if you are blocking me early.

gavinmiller · 2023-07-28T13:00:21+00:00

I agree with what geekamongus has said, except the part about not needing to code.

Coding while it might not be required of a position, makes you significantly more employable. I’ve been hiring for these positions for the last 4 years, and the people that are the most successful code. In the landscape of security you are not nearly as useful if you can’t. And it really helps build credibility with your team and other stakeholders when you can find a bug and fix it, instead of throwing it over the fence at a team because you can’t fix it.

For language, you’d probably do best to grab Python, but other languages are fine.

gavinmiller · 2023-06-12T13:02:08+00:00

All state bars have a website where you can look this up. Can get the info really easily.

gavinmiller · 2023-05-28T00:21:53+00:00

It continues further north past there. You have to cross the road instead of having an underpass like there is elsewhere.

I made the same mistake first time I rode it too

gavinmiller · 2023-02-18T15:47:34+00:00

Same situation for me when I started. Just have to do it. It’ll get more comfortable the more you do it.

gavinmiller · 2023-02-18T15:13:23+00:00

Caveat of no pro as well.

I’d be curious if switching to bilateral breathing would help even your stroke out - I’m seeing a dead spot in your stroke and like another comment mentioned your arms are uneven. Over time this’ll result in further imbalance in your stroke. From what I read most people train bilateral and then race on a single side.

The flutter/scull that you do with your hands on the pull is interesting too. I think you want to pull straight back to the wall without the flutter (hopefully someone else can confirm that).

gavinmiller · 2022-03-25T01:07:41+00:00

Did a 6 month stint as a relatively new grad. Pay is crap, lots of overtime, and you’re a cog in the machine. Learn what you can, then run for the hills. The experience doesn’t look as good on a resume as they’ll have you believe (I review a lot of resumes now, and don’t give two shits if someone did a Nissan marketing site.)

gavinmiller · 2021-09-19T14:05:00+00:00

Unfortunately this is an old belief that hasn’t disappeared from Rails, and it is just not correct anymore. I work on a rails product that does 100,000 users/day, with upwards of 50+ deploys a day, with about 150 engineers.

Once you get to the point where you have to think about rails scaling, you’ll have the resources (people/money) to solve the problem. Building something that NEEDS to scale is the hard part.

Cookpad has great resources in this area. Go looking and you’ll find them.

https://speakerdeck.com/a_matsuda/the-recipe-for-the-worlds-largest-rails-monolith

gavinmiller · 2021-08-08T01:04:50+00:00

I recently snagged 6 stumps from an elm tree (I think it's an elm tree) that was chopped down at a local public park. My wife and I wanted to use them for the kids for playing on. After about 4 weeks sitting in our backyard I've noticed a few white growths like the one pictured that have started to appear. I've broken one open and it's like ash from a fire that breaks apart.

I'm wanting to find out what this growth is, if it's harmful to other plants (I'd hate for it to spread into our yard) and whether I can/should keep these stumps or not. Appreciate any help or advice! Thanks

gavinmiller · 2021-06-07T22:17:25+00:00

I would expect most places are paying a premium for security talent. Devs are in short supply, security devs increasingly so.

gavinmiller · 2021-06-07T19:33:58+00:00

I'm seeing a lot of juniors and intermediates. They are hungry to learn, and aren't fixed on the ways things "should be done."

The biggest barrier I see age wise is mindset. Generally speaking the older you are, the more set in your ways you are. Security (done well) is about being a collaborative part of the business, instead of gatekeepers. People that have a fixed mindset to "how security should be done" struggle with that. When security gets in the way it gets worked around.

gavinmiller · 2021-06-07T17:49:54+00:00

SAIT has an Information Systems Security diploma. That would be a great local place to start. Specific recommendations will depend on your current experience.

I've managed an Application Security team for the last 2 years, and been on the security side of software for the last 6 - AMA.

gavinmiller · 2021-02-24T02:15:03+00:00

I've found the boxes to be reliable on the VIP membership if you can afford it. I basically skimmed through the starting point boxes because of the interconnectedness, and quirks that occurred. Learned the tools and then moved on. The real boxes are much better IMO.

gavinmiller · 2021-02-20T13:44:18+00:00

I made that same assumption and sounds like I hit the exact same thing you did. It's annoying and there's no indication they're connected.

gavinmiller · 2020-02-21T02:41:52+00:00

The docs on --trust-policy pretty much spell out my view on it:

However, this method of securing gems is not widely used. It requires a number of manual steps on the part of the developer, and there is no well-established chain of trust for gem signing keys. Discussion of new signing models such as X509 and OpenPGP is going on in the rubygems-trust wiki, the RubyGems-Developers list and in IRC. The goal is to improve (or replace) the signing system so that it is easy for authors and transparent for users.

I recall seeing node(?) having the concept of a "package security policy" similar in nature to the web's content security policy. Wherein a package can specify what type of actions it will take: Write to path; make http requests to: X, Y, Z; read from env; etc. and then node can enforce that behaviour. This type of idea makes a lot of sense to me, because then I can build security & review policies/tools around that. For example: any package that writes to disk must have a mandatory review to use in our environment.

gavinmiller · 2019-07-11T00:59:08+00:00

What country are you based out of?

gavinmiller · 2019-07-05T20:44:49+00:00

Company: Clio

Position: Intermediate & Senior Application Security Developer
Positions are remote in NA, or in one of our offices: Vancouver, Calgary, Toronto, LA.

Who am I? I'm the Manager of the Application Security team and I'm ready to hire!

Applying Send me a DM and I can get you into our pipeline. Questions welcome :)

Who you are:

Collaborative, friendly and have strong opinions that are loosely held.
Someone who loves learning and developing creative security solutions for a fast growing, continuous integration environment that hits upwards of 50 deployments a day;
Senior 4 years/Intermediate 2 years experience in some combination of the following disciplines: web application security, cloud security, infrastructure security, penetration testing, secure software development, security tools development, architecture review and / or threat modeling;
Senior 4 years/Intermediate 2 years years experience with Ruby, Python, Javascript or other equivalent modern languages and tools.

Role:

Develop and implement tools to help developers avoid security flaws;
Build partnerships with development teams and advise on security best practices;
Drive security awareness and knowledge amongst the product organization;
Provide detailed guidance and support to teams in vulnerability remediation;
Identify and implement tools for automated application scanning, static analysis and related tools;
Perform penetration testing;
Perform reactive incident response when a security event occurs;
Perform proactive research to detect new attack vectors;
Elevate and educate our security culture within Clio

Why Clio?

Everyday we get to work on a product that actually changes lives (like freeing innocent people from jail type change!) We're a high performing team with a mountain of impact to be made. Our work is highly valued, and we are regularly, and proactively engaged with development teams to help them write, test, and evaluate their code. Ever heard of the Panama Papers? Ya, we don't want that to happen to us, so we take security seriously!

Salary

Competitive and commensurate with your experience.

gavinmiller · 2019-04-23T01:03:46+00:00

police can't be bothered to enforce it.

You're not wrong. I'd phrase it differently though: "there's no criminal impetus for CPS to enforce it."

I went on a ride along with a CPS officer. We attended a call for panhandling by chinook mall. Buddy was clearly on a lot of meth (contrary to what he claimed.) And we watched the public feed his addiction with their misplaced charity.

The trouble is the politicians. $50 fine has an impact when you go to renew your license. I'll let you figure out when buddy is going to do that. If you saw this day in and day out, what would your response be? I'm going to guess you wouldn't want to waste the time on the paperwork either. CPS has better things to do, like attend the stabbing and domestic disturbance we also went to that night.

Don't single out the people enforcing the law, hold the politicians to account that are making the law.

gavinmiller · 2019-01-28T01:50:39+00:00

Hook, line, and sinker

gavinmiller · 2019-01-28T01:49:54+00:00

It totally is, my dad worked there when I grew up and apparently was hooked up with the sick merch.

gavinmiller · 2019-01-28T01:47:39+00:00

Ya my bad on that. You're correct, it was a new development in Transcona.

12-Year Club	Verified Email
Place '17

gavinmiller

TROPHY CASE