The kids are over the moon with their gifts. Ma's in her bath tub and I'm in my cups. And I'm about to settle in for a long evening of Nethack. So ya, I'm feeling pretty good for Christmas evening.

I hope everyone here who is feeling down finds something in the new year to make them happy.

I'm sure there are several out there. But, when I was starting out, I didn't see one and just rolled my own. The process was general enough that I've been able to mostly just replace the SteamID of the game in the Dockerfile and have it work well for other games. It doesn't do anything fancy like automatic updating; but, it works and doesn't need anything special.

I see containers as having a couple of advantages:

1. Separation of dependencies - while not as big of issue as it used to be, just knowing that you won't end up with the requirements for one application conflicting with another is one less issue to worry about. Additionally, you can do anything you want to one container, without having an effect on another container. You don't get stuck wanting to reboot or revert the system, but not wanting to break a different running service.
2. Portability - Eventually, you are going to replace the OS of that VM (at least, you should). Moving a container to a new OS is dead simple. Re-installing an application on a new OS, moving data and configs can be anywhere from easy to a pain in the arse, depending on the software.
3. Easier fall back - Have you ever upgraded an application and had everything go to shit? In my years working as a sysadmin, I lost way too many evenings to this sort of bullshit. And while VM snapshots should make reverting easy, sometimes it just didn't work out that way. Containers force enough separation of applications that you can do just about anything to one container and not effect others.
4. Less dependency on a single install - Have you ever had a system just get FUBAR, and after a few hours of digging the answer seems to be, just format the drive and start over? Maybe you tried some weird application out and the uninstall wasn't really clean. By having all that crap happen in containers, you can isolate the damage. Nuke the container, nuke the image, and the base OS is still clean.
5. Easier version testing - Want to try out upgrading to version 2 of an application, but worried that it may not be fully baked yet or the new configs may take a while to get right? Do it off in a separate container on a copy of the data. You can do this with VMs and snapshots; but, I find containers to be less overhead.

That all said, if an application does not have an official container image, the added complexity of creating and maintaining your own image can be a significant downside. One of my use cases for containers is running game servers (e.g. Valheim). There isn't an official image; so, I had to roll my own. The effort to set this up isn't zero and, when trying to sort out an image for a new game, it does take me a while before I can start playing. And those images need to be updated when a new version of the game releases. Technically, you can update a running container in a lot of cases; but, I usually end up rebuilding it at some point anyway.

I'd also note that, careful use of VMs and snapshots can replicate or mitigate most of the advantages I listed. I've done both (decade and a half as a sysadmin). But, part of that "careful use" usually meant spinning up a new VM for each application. Putting multiple applications on the same OS install was usually asking for trouble. Eventually, one of the applications would get borked and having the flexibility to just nuke the whole install saved a lot of time and effort. Going with containers removed the need to nuke the OS along with the application to get a similar effect.

At the end of the day, though. It's your box, you do what you are most comfortable with and want to support. If that's a monolithic install, then go for it. While I, or other might find containers a better answer for us, maybe it isn't for you.

I'm not going to defend everything the TSA does. And they do have a lot of problems. But, the lines at the checkpoint are the result of trade-offs in security. For all things security related, it's about managing risk. You will never eliminate risk, so you need to pick and choose where to apply controls to reduce the worst risks and accept some risk in other areas.

Think about the possible outcomes from terrorist attacks on airports. There are several possible scenarios:

1. The attacker kills a few people in the airport using a direct weapon (gun, knife, etc.)
2. The attacker kills a lot of people in a small area with a area weapon (bomb, gas, chemical, etc.)
3. The attacker destroys an airplane in flight, killing everyone onboard.
4. The attacker hijacks the airplane and takes everyone onboard for ransom.
5. The attacker hijacks the airplane and uses it as a weapon, killing everyone on board and more people on the ground.

We could probably come up with other cases, but I think this covers the bulk of it. So, let's dive into managing these risks. What are the effects of such attacks, if successful?
Looking at case 1, how many people are likely to be killed? Well, that depends on the police response time and the effectiveness of the attacker's weapon. But, based on other mass casualty events, this probably falls into the range of 10-30 people. It could move outside this range, but this is pretty typical of such situations. To pick a number in the middle, will say they the expected loss for such an attack is around 20.
With Case 2, again there is variability. But, it's also something we have analogs for and may be able to put a range of casualties on. The Boston Marathon bombing in 2013 killed 6. The attack on Kabul Airport in 2021 during the US evacuation killed 182, though that also included multiple gunmen attacking after the explosion. Let's put the loss rate around 50 for as single bomb, assuming a very packed area and a very effective bomb.
For Case 3, the numbers are a bit easier to get a handle on. Typical airliners carry anywhere from 100-200 passengers. The 737 MAX 8-200 is designed for 200, while the Airbus A200-100 carries around 100 passengers. We'll pin the loss rate here at 150, as attackers are likely to target larger aircraft for this sort of attack.
Case 4 is basically Case 3, but with an optional loss of only money. For that reason, I'm going to remove this case, but wanted to mention it to avoid the "well akshuly" crowd, since this is a historic problem.
That leaves Case 5. And it's Case 4's situation, plus some number of people on the ground. Certainly, not every such use of an airplane as a weapon will be as successful as the attack on 9/11. And that also involved multiple successful attacks. But, let's assume that such attacks will hit populated buildings and cause significant damage. We'll pin the expected loss at 200, This is 150 for the airplane and 50 on the ground, somewhat equivalent to Case 2 with a bomb in a crowded area.

Ok, so we have expected losses, now lets talk about how often we expect such attacks to happen? And yes, this is a rough guess. But, since terrorists are unlikely to publish their plans, it's the best we can do. We also face a difficulty in that these are still (thankfully) pretty rare events. And trying to extrapolate from a small set of data points is always a fraught exercise. So, fell free to quibble over these numbers, but I don't think any numbers which fall into a reasonable range will change things much.
Case 1 - This attack as a pretty low barrier to entry. If a person can be found to perform the attack, arming them isn't terribly hard. So, we let's assume we get 2 of these attacks a year. I don't think we're actually getting that, but out goal is just to get into the right ballpark.
Case 2 - This attack takes a touch more work, bomb making isn't that hard, but making a really effective one isn't easy either. This type of attack does have the advantage that it doesn't always require the attacker to die in the process. So, it might be easier to find someone willing to engage in such an attack. Let's call this 1 per year.
Case 3 - This also requires a bomb, but it may not need to be quite as big to be effective. Granted, modern aircraft can be amazingly resilient (see Aloha Flight 243). This attack also results in the attacker dying, so that can be a bit harder to source. So, lets say this happens once every other year, or 1/2 per year.
Case 5 - So, no bomb this time, but you have to have an attacker not only willing to die in the process, but also go through enough flight training to fly the aircraft to it's target. And you need the training itself. Plus, the attacker needs to get a weapon onto the aircraft. And since they need to overpower 100-200 people who might just take exception to the hijacking, you probably need multiple attackers willing to die in the attack. This is a pretty high bar to clear; so, let's say that these attacks happen at a rate of 1 every 5 years.

Ok, so let's consider our Annualized Loss Expectancy (ALE) with what we have:

| Case | Loss Expectancy | Frequency | ALE | |

|

|

|

| | 1 | 20 | 2 | 40 | | 2 | 50 | 1 | 50 | | 3 | 150 | 0.5 | 75 | | 5 | 200 | 0.2 | 40 | | Total| - | - | 205 |

Alright, so lets start talking about controls we can use to mitigate these attacks. By raw numbers, the thing we should care about most is Case 3, as that has the highest ALE. So, what can we do about bombs on airplanes? Making them more resilient seems like a good start, but if we could do that, the military would have done it long ago. So, really the goal is to keep bombs out of airplanes. And that's going to mean some sort of screening. We could just say "no carry on, period" and move the problem to the cargo hold. This would reduce the frequency of Case 3 and Case 5, as it would be much harder to get a bomb or weapon onto an airplane, without a bag to hide them in. But, travelers are not likely to give up all carried on bags. So, that really leaves us with searching bags and controlled checkpoints to do it. Of course, as has been noted, this would likely mean that Cases 1 and 2 become deadlier. Let's put some numbers to it. Let's say that checkpoints reduce the frequency of Cases 3 and 5 by a factor of 4 and increase the Loss Expectancy of Cases 1 and 2 by 1.5.

| Case | Loss Expectancy | Frequency | ALE | |

|

|

|

| | 1 | 30 | 2 | 60 | | 2 | 75 | 1 | 75 | | 3 | 150 | 0.125 | 18.75 | | 5 | 200 | 0.05 | 10 | | Total| - | - | 163.75 |

And we could push the numbers around for the effect of the checkpoints. And we could look at other controls or controls in combination. But, this is the sort of risk analysis which would need to be done to make such decisions. And, ideally, the numbers chosen would be done with a bit more care than my rectal extraction method. Can I say that anyone at the TSA/DHS/etc did this sort of analysis? No, but I suspect there has been some work on it. And it probably does lead to the conclusion that the expected loss is lower for airports with checkpoints than airports without. Though, that doesn't excuse the TSA's abysmal track record for tests done by the FBI.

If something requires an "app" and a connection to "the cloud" for basic functionality, don't buy it. This sort of abandonment by the manufacturer will always happen. Maybe it will last longer. Maybe it will be next week. But once the company has your money, the last thing they want to do is to spend any of that money providing you with support.

I work in cybersecurity for a large company, which also uses the MS Authenticator app on personal phones (I have it on mine). I do get the whole "Microsoft bad" knee-jerk reaction. I'm typing this from my personal system, running Arch Linux after accepting the difficulties of gaming on Linux because I sure as fuck don't want to deal with Microsoft's crap in Windows 11. That said, I think you're picking the wrong hill to die on here.

In this day and age, Two Factor Authentication (2FA) is part of Security 101. So, you're going to be asked to do something to have 2FA working on your account. And oddly enough, one of the reasons that the company is asking you to install it on your own phone is that many people really hate fiddling with multiple phones (that's the real alternative). There was a time, not all that long ago, where people were screaming for more BYOD. Now that it can be done reasonably securely, companies have gone "all in" on it. It's much cheaper and easier than a lot of the alternatives. I'd love to convince my company to switch over to Yubikeys or the like. As good as push authentication is, it is still vulnerable to social engineering and notification exhaustion attacks. But, like everything in security, it's a trade off between convenience, cost and security. So, that higher level of security is only used for accessing secure enclaves where highly sensitive data is kept.

As for the "why do they pick only this app", it's likely some combination of picking a perceived more secure option and "picking the easiest path". For all the shit Microsoft gets (and they deserve a lot of it), the authenticator app is actually one of the better things they have done. SMS and apps like Duo or other Time based One Time Password (TOTP) solutions, can be ok for 2FA. But, they have a well known weakness around social engineering. And while Microsoft's "type this number" system is only marginally better, it creates one more hurdle for the attacker to get over with the user. As a network defender, the biggest vulnerability we deal with is the interface between the chair and the keyboard. The network would be so much more secure if I could just get rid of all the damned users. But, management insists on letting people actually use their computers, so we need to find a balance where users have as many chances as is practical to remember us saying "IT will never ask you to do this!" And that extra step of typing in the number from the screen is putting one more roadblock in the way of people just blinding giving up their credentials. It's a more active thing for the user to do and may mean they turn their critical thinking skills on just long enough to stop the attack. I will agree that this is a dubious justification, but network defenders really are in a state of throwing anything they can at this problem.

Along with that extra security step, there's probably a bit of laziness involved in picking the Microsoft option. Your company picked O365 for productivity software. While yes, "Microsoft bad" the fact is they won the productivity suite war long, long ago. Management won't give a shit about some sort of ideological rejection of Microsoft. As much as some groups may dislike it, the world runs on Microsoft Office. And Microsoft is the king of making IT's job a lot easier if IT just picks "the Microsoft way". This is at the heart of Extend, Embrace, Extinguish. Once a company picks Microsoft for anything, it becomes much easier to just pick Microsoft for everything. While I haven't personally set up O365 authentication, I'm willing to bet that this is also the case here. Microsoft wants IT teams to pick Microsoft and will make their UIs even worse for IT teams trying to pick "not Microsoft". From the perspective of IT, you wanting to do something else creates extra work for them. If your justification is "Microsoft bad", they are going to tell you to go get fucked. Sure, some of them might agree with you. I spent more than a decade as a Windows sysadmin and even I hate Microsoft. But being asked to stand up and support a whole bunch because of shit for one user's unwillingness to use a Microsoft app, that's gonna be a "no". You're going to need a real business justification to go with that.

That takes us to the privacy question. And I'll admit I don't have solid answers here. On Android, the app asks for permissions to "Camera", "Files and Media" and "Location". I personally have all three of these set to "Do Not Allow". I've not had any issues with the authentication working; so, I suspect none of these permissions are actually required. I have no idea what the iOS version of the app requires. So, YMMV. With no other permissions, the ability of the app to spy on me is pretty limited. Sure, it might have some sooper sekret squirrel stuff buried in it. But, if that is your threat model, and you are not an activist in an authoritarian country or a journalist, you really need to get some perspective. No one, not even Microsoft is trying that hard to figure out the porn you are watching on your phone. Microsoft tracking where you log in to your work from is not all that important of information. And it's really darned useful for cyber security teams trying to keep attackers out of the network.

So ya, this is really not a battle worth picking. It may be that they have picked this app simply because "no one ever got fired for picking Microsoft". But, you are also trying to fight IT simplifying their processes for no real reason. The impetus isn't really on IT to demonstrate why they picked this app. It is a secure way to do 2FA and they likely have a lot of time, effort and money wrapped up in supporting this solution. But, you want to be a special snowflake because "Microsoft bad". Ya, fuck right off with that shit. Unless you are going to take the time to reverse engineer the app and show why the company shouldn't pick it, you're just being a whiny pain in the arse. Install the app, remove it's permissions and move on with life. Or, throw a fit and have the joys of dealing with two phones. Trust me, after a year or so of that, the MS Authenticator app on your personal phone will feel like a hell of a lot better idea.

Yes, yes it has. And it's directly because Russia engaging in exactly the type of expansionist wars NATO was set up to stop.

The investigation report is going to be interesting. While bridges can only take so much punishment, they are usually designed to survive some collisions with their pylons. I wonder what the state of the bridge was, prior to the collapse. If it's anything like the rest of the infrastructure in the US, it was probably not good. Though, this may also be a case that the designers in the 70's planned for a collision with a cargo vessel of the times, which were tiny bath tub boats compared to the super container ships we have now. The Dali was built in 2015 she is a 300m ship capable of carrying 116851 tons. That's a lot of mass for the pylon and it's barriers to stop.

If we could harness the energy of Regan spinning in his grave, we'd have a limitless supply of energy.
Imagine telling any conservative, during the Cold War era, that we could completely fuck Russia's military power and readiness, for years to come, by sending weapons to a relatively small country. They would be rushing to arm anyone and everyone they could, unintended consequences be damned. And yet, here we are with the GOP blocking exactly that sort of activity. And even better, there is a very real possibility that we aren't arming future terrorists this time around. Maybe that's the GOP's problem, Russia losing in Ukraine won't create an excuse in 20 years to kill more brown people.

Good. Tying aid to cuts in IRS funding was absolutely asinine. Failing to fund Ukraine, which is actually fighting for it's continued existence as a political entity is also asinine.

Yes, Hamas is a horrible organization; but, the Israeli Government isn't facing an existential threat and has not been an innocent actor in the situation in Gaza. Aid and support should come with strings attached to ensure the protection of civilians and property rights of the people being displaced.

Ford Motor Co.'s second-quarter profit more than tripled to $1.92 billion versus a year ago (source)
Revenue rose 12% to $44.95 billion

Kinda hard to drum up sympathy for the company when it's raking in almost $2 billion in profit per quarter. Yes, Ford is burning about $1billon per quarter on EVs right now. That's not something the workers should be financing. That's money the company is investing to be viable in the future. That sucks for the shareholders; but, they are the ones who will reap any benefits of that investment and they should be the ones eating the cost.

Time for The Satanic Temple to open Satan's Elementary School and apply for charter funding.