20210606

Sun Jun 6 06:00:01 EDT 2021 ======================================== Slept from eleven to seven. Mostly sunny. Highs in the upper 80s. Southwest winds 5 to 10 mph. Gusts up to 25 mph in the late morning and afternoon. Watched The Beast Must Die. Fun. Great cast. Like the mystery meta-frame. Finished reading A Desolation Called Peace. https://arstechnica.com/information-technology/2021/06/hacker-lexicon-what-is-a-supply-chain-attack/ https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/ https://www.npr.org/2021/05/28/1001402799/one-hack-to-fool-them-all Disappointed the Planet Money episode didn't go into the economics that facilitate these supply chain attacks — that open source (for all its overwhelming goods) makes software cheap to develop, and no one has enough economic incentive to scrutinize the security of those projects. They only sort of brush up against this: > GOLDSTEIN: And so this relentless pursuit of efficiency left us, left the economy vulnerable - surprisingly vulnerable. And it feels analogous to this SolarWinds story, where software is this incredibly efficient industry, and doing things like having programmers be networked and using code from all these different sources - these are very efficient practices that let people build really powerful software really cheaply. But what we're learning now with this hack is that, as you say, like, maybe that's not really most efficient in the long run even if it superficially seems so. > TEMPLE-RASTON: ...Really the impetus to have people say, let's not do it this way. They were chasing, you know, who could do it the most cheaply and not necessarily the most safely. And I think that what has happened as we've seen these hacks grow more and more sophisticated, I think there's a realization that the way we used to do things, we can't do them that way anymore and that we have to have defense much more in mind than we did in the past. Really — has anyone really learned that lesson? How will industry practices change without some regulatory or market incentive? Since companies are never held responsible/liable for security issues, the real incentive is that they continue to do things as cheaply as possible, regardless of security. (I'm sort of shocked this attack wasn't something like a open source node.js component.) Listened to TildeRadio. Might _really_ need a new mattress. Laid down on the floor, on my yoga mat, and almost fell asleep right away. Servings: grains 7/6, fruit 2/4, vegetables 4/4, dairy 4/2, meat 1/3, nuts 0.5/0.5 Brunch: banana, ramen with avocado and sausage, coffee Lunch: corn chips with beans and salsa Dinner: orange, macaroni and cheese with broccoli

< ^ txt