OMG Tonight's NCIS opening makes fun of the "two idiots one keyboard" scene from much earlier in the show, which is made even better by it being written by McGee. Honestly hilarious.
Would that make you a void *
You can tell how much power my ADHD has over me at any given time based on how deeply nested my parentheticals get (and how many I forget to close because I forgot I was in more than one (not that I would ever forget something like that).
Oh yeah operationally itβs useless π
The CNN level events is a fun one that I actually really believe is valuable - specifically because so many security problems stem from poor technology choices.
I havenβt spent much time in Crowdstrike trying to build out useful metrics but I would love to do this.
But then, on top of that, I want to see the stats on how accurate outputs are based on certain assumptions made by prompts. E.g. βfind the vulnerabilitiesβ implies there are vulnerabilities, βare there vulnerabilitiesβ would probably produce different results (even more different, that is)
Interesting thing I just thought about. LLMs are non-deterministic, but people keep inventing new ways of saying βa markdown fileβ to help create consistency.
What Iβd like to explore is two completely separate accounts interacting the exact same way with the same inputs, at scale.
I think I have this somewhere after hearing someone mention it at Shmoocon many years ago. Or maybe a book with a similar title.
Yeah I really donβt like ambiguous data lol. Youβre absolutely right, but itβs really not gelling with my brain very well lol.
Iβm finding this a fun and mildly annoying challenge about my transition from an IC focused purely on getting things done, to now trying to understand how to communicate all the work my team is getting done.
But what Iβm coming to find the most frustrating about metrics in general is that I think they often get too decoupled from their method of collection. You canβt just pick cool metrics that you donβt know how to reliably measure.
I also hate metrics for the sake of having numbers. If you collect numbers but canβt speak to whether they should go up or down, itβs not a good metric.
Appsec & offensive security metrics in general are a good example of ambiguous metrics. More vulnerabilities is⦠good? For your performance? What?
Iβve been researching a lot about metrics as Iβm now responsible for tracking metrics for our enterprise security function. My historical take on security metrics is that they are all bad, because the metrics people default to are basically contingent on your ability to get other people to do work.
In classic dade fashion, I hadnβt posted a blog post since April. Published 4 in a row over the last few days, mostly about self hosting and my pursuit of the ideal server.
But most recently: donβt use infra-as-code to manage user access. Itβs not worth it.
0xda.de/blog/2026/02...
Do You Wanna Date My Avatar immediately stuck in my head, thanks for this Tay.
I didnβt plan to spend the rest of my weekend rewatching The Guild, but maybe itβs that time. Maybe next weekend I can go back and rewatch Pure Pwnage, while Iβm at it.
Pronouncing βRetroβ like Scooby Doo from now on.
Ret-roh!
His build is ready, nodes weak, pods are heavy
Thereβs lagging in the cluster already, Kubernetes
Help @lookitup.baby, my kubernetes is spaghetti stained
A charmingly low-resolution photo of a ground-level kitchen cabinet. The door is open and there is a hodgepodge of various tupperware items, many looking like they belong to completely different sets. Some might be old sour cream containers, can't really tell. It's a joke about how kubernetes is a container orchestrator and this is container chaos.
The kubernetes we have at home
This also really helped drive away the fears of updating that existed before I joined the organization. Reproducible builds without the constant toil and noise of dependabot made people much less scared of updating regularly. Security updates were treated basically no different than any other.
My rationale was that dependabot served as a good RSS feed of new major version updates, major version updates were more likely to introduce API changes, give them a little more effort.
Everything else, just update it every monday and forget about it.
This is fairly in line with the decision I landed at with Python (for apps specifically, libraries are a bit different).
1. Dependabot turned on for major version updates only
2. Make heavy use of ~= markers, pin only where necessary
3. Weekly job to re-lock lock file (uv, pipfile, etc) & test
Deadmau5 is a huge nerd, and huge cat fan. I think most people only associate him with music but he is doing a lot of insane technical work under the hood. At defcon 2 years ago he stopped by the Hak5 booth and he was talking about some C++ rendering engine he was building, iirc.
Canβt believe itβs been 10 years of madness. I think in 10 years weβve managed to get through maybe 40, 50 talks in total, and have probably had somewhere between 150 and 300 judges in that time.
Cant wait to see what youβre working on, buddy.
Iβm at @wildwesthackinfest.bsky.social in Denver and weβre looking to hire for a wide variety of roles across IT and Security.
Did I mention we build Satellites? Itβs pretty cool stuff.
If youβre here and looking for work, letβs chat. #WWHF #MileHigh2026
I feel like my ability as an engineer unlocked when I accepted that, most of the time, everyone in the room knows a whole lot about things I don't, and I know a whole lot of things they don't. They just need my help because my expertise ended up becoming the foundation for them to do theirs.
The machines that may never be held responsible for the liabilities they create, no less.
Just had a moment of realization for my feelings about the push by VC-backed AI sycophants to "vibe code business apps"
They have not yet learned that lines of code go in the liability column, not the asset column. And they may never learn, because they've forfeited cognition to the machine.
