I was looking at [1] recently to understand omicron variant positivity length and they cite a few other papers. The article [1] is publicly available. I haven’t checked if all of the others are.
* Routsias JG , Mavrouli M , Tsoplou P , Dioikitopoulou K , Tsakris A . Diagnostic performance of rapid antigen tests (RATs) for SARS-CoV-2 and their efficacy in monitoring the infectiousness of COVID-19 patients. Sci Rep. 2021;11(1):22863. doi:10.1038/s41598-021-02197-z
* Currie DW , Shah MM , Salvatore PP , et al; CDC COVID-19 Response Epidemiology Field Studies Team. Relationship of SARS-CoV-2 antigen and reverse transcription PCR positivity for viral cultures. Emerg Infect Dis. 2022;28(3):717-720. doi:10.3201/eid2803.211747
* Korenkov M , Poopalasingam N , Madler M , et al. Evaluation of a rapid antigen test to detect SARS-CoV-2 infection and identify potentially infectious individuals. J Clin Microbiol. 2021;59(9):e0089621. doi:10.1128/JCM.00896-21
* Killingley B , Mann A , Kalinova M , et al. Safety, tolerability and viral kinetics during SARS-CoV-2 human challenge in young adults. Nat Med. 2022;28:1031-1041. doi:10.1038/s41591-022-01780-9
The Inkplate 10 is great. I haven’t gotten a lot done other than toy stuff, but so far it’s been a mostly good experience.
Another nice entry point is micropython. Some of the getting started stuff has gaps but overall nice and simple if you’re more comfortable in Python. Major libraries have ports so it mostly is an easy dive in.
In a past job I’ve seen crappy crawlers from badly designed security applications do stuff like this. An an example one customer was using Trend CAS to scan all URLs in their inbound email. This causes big bursts of traffic on our systems.
The crawls came from Azure and AWS. Forged UAs, repeat hits in the same URL, etc.
Having worked in anti-abuse for nearly 20 years this is spot on. Even if it were possible, publishing “the algorithm” isn’t going to solve anything. It’s not like it can be published in secret or avoid being instantly obsolete.
All of this is an exercise balancing information asymmetry and cost asymmetry. We don’t want to add more friction than necessary to end users, but somehow must impose enough cost to abusers in order to keep abuse levels low.
Unfortunately for us, it generally costs far less for attackers to bypass systems than defenders to sustain a block.
As defenders we work to exploit things in our favor - signals and scale. Signals drive our systems be it ML, heuristics, signatures (or more likely a combination). Scale lets us spot larger patterns in space or time. At a cost. 99%+ effective systems are great, but at scale 99% is still not good enough. Errors in either direction will slip by in the noise; especially targeted attacks.
As a secondary step, some systems can provide recourse for errors. Examples might include temporary or shadow bans, rate limiting, error reporting, etc. Unfortunately, cost asymmetry comes into play again. It is far more costly to effectively remediate a mistake than it is to report one. We’re back to cost asymmetry.
All of this is suboptimal. If we had a better solution, it would be in place. Building and maintaining these systems is expensive and won’t go away unless something better comes along.
I think a big part of why this is a focus nowadays is because some "community standards" started crossing into political canards as abuse types, so normies who are not spammers are starting to bump into anti-abuse walls, which don't create real appeal processes because that is too expensive. Now the political class is starting to demand expensive things as a result, and they have the guns.
In the past the rules were obvious easy wins like "no child porn" and "no spam" that nobody really gave a shit about most anti-abuse and welcomed it because they never encountered it for their normie behavior.
These platforms to reduce the 'political' costs of their anti-abuse systems need to drop community standards that start becoming political canards, and say that if we are to enforce political canards one way or another, then it has to become law, creating a much higher barrier for the political class to enact because they have another political camp on the other side of the aisle fighting them tooth and nail, because all political canards have multiple sides.
That might mean dropping painful things like coronavirus misinformation enforcement, violent hate speech against LGBT groups in certain countries and even voting manipulation, because you have to let the political class determine the rule set there, not the company itself. Otherwise it will be determined for you, in a really bad way, even in the USA.
I mean, all of this might be true or it might not be true, but either way: if Cory Doctorow is appealing to "security through obscurity" to make his argument, he's making a clownish argument.
Yeah I'm not even thinking about cory, just talking about this general issue and why it has become an issue in the past 7 years, vs any other time. I really think it's come down to enforcing political things as rules, and suggesting to any lurker who works in anti-abuse in big tech that you need to start putting a price on enforcing political rules, much like you do in many other parts of anti-abuse as you explained, or your going to destroy the company eventually.
I know that would be really hard also in most big tech, because unfortunately there is a specific political opinon culture there, and basically suggesting that you stop enforcing LGBT hate speech is not going go well with the general employee population. Puts them in a rock and hard place, so it would probably have to be done confidentially.
In reading Mudges' complaint, it really paints the Twitter leadership (esp. Agrawal) as simply not caring about security enough to do anything about it. Instead you had an org with massive amounts of technical and operational debt, and leadership not willing to invest in it. There are always tradeoffs between fixing technical debt and building new features. Twitter leadership chose to ignore (and to some extent, hide) the problem rather than invest. They certainly aren't unique in having a security plan that is built around hope.
Engineers having full control over their dev machines up to and including preventing system updates is not ideal; but not out of the norm for tech. Poor data access controls, and out of date server fleets (where I'd expect updates to be pretty automated) are far more worrying to me.
I wonder if Mudge was fired for, basically, being too good at his job. He didn't toe the CEO's line, and was pointing out how the house was on fire, which is not what Agrawal wanted to hear(maybe Dorsey wanted to hear it when he hired Mudge, but Agrawal had different ideas). I suspect that most people who make it ultra high level as "Head of X", are hired more for their organizational/social talents, which oftentimes involves capitulating to those more powerful/higher on the food chain, rather than being actually talented at X. Mudge actually has the bona fides for the role, which is why he got fired (I'm guessing).
It's worth noting that being good at IT Security is in huge part a function of your soft skills, since you should be able to sell security to the org, since your job is to make the work happen, not to identify it and complain that it needs to be done
any amateur can run some automated scanners and issue security diktats to the rest of the organization
I mean...Twitter hired him as head of security. They ostensibly already cared about security. Or, at least Dorsey did, maybe Agrawal didn't. I suspect he wanted a yes man to offer some minor changes and say "Yup, everything's secure here". Before this, Mudge was facilitating the NSC in ultra high level briefings to provide accurate reports to POTUS. I suspect you don't end up in that position without some strong soft skills. But, as strong as they are, you can't convince someone who doesn't want convincing.
the head of security is responsible for getting buy-in from the organization on security measures, that's what makes them the head
"you can't convince someone who doesn't want convincing" is also a weak cop-out that would be totally unacceptable as an attitude of the head of anything. As head of IT Security, part of your JOB is convincing people who aren't convinced (easily played off as 'they don't want convincing' by people who fail to convince them)
if a head of IT Security came to me as a CEO and lamented "the organization isn't doing what I tell them to do", I feel like an appropriate question is, "what do you plan to do about it?" or "what options do you have in mind to get them to?" Every CEO knows security is a pain, they hire executives in order to delegate pains away
being supportive of an endeavor doesn't mean being okay with your executives laying key parts of their own job description (remember, it's the CISO's job yo get buy-in, not the CEO's) at your feet and telling you that it's hard to do because "some people don't want to be convinced"
in your example, the CEO might continue to listen while the head of security explains why it's worth more than that 30% loss to secure the systems
examples might include the cost of lawsuits, the cost of regulatory action, the risk of actual harm to people (customers or otherwise), the cost of reputational damage, etc... security has to economically justify its internal projects just like every other department does
Ok, and the CEO still isn't convinced, because he knows he will be fired and his lifetime earnings potential and reputation will be greatly diminished if the stock dumps like that, regardless of the readon.
Is that still the failure of head of security?
In this scenario, I feel like you've only left room for head of security failure and not CEO failure. Maybe I did the opposite, but it's based on mudge's long track record. Agrawal doesn't really have a track record outside of being promoted at near record pace to CEO in a company.
If the CEO's personal success is appropriately tied to the company's success, the CEO will be, for the most part, incentivized to do what's best for the company
if you don't have a benefit that outweighs the stock dumping like that (in other words, in the CEO's opinion, is the probability of bad stuff happening, multiplied by the downside of it happening, greater than that 30% drop?) then your proposal simply isn't something that should be done
that's not to say the CEO hasn't failed by hiring an executive who can't do their job when it requires soft skills and persuasion
What's good for Twitter the company and Twitter the stockholders is not necessarily what is good for Twitter users. Security breaches negatively affect the users whose data is breached. It only affects the company if it takes a reputational hit because it was announced that their security was breached. But, will India announce that they forced an insider in Twitter with access to all sorts of user data? Probably not. Will people swept up by India's secret police know that it was twitter that ratted them out? Probably not.
Let's look at a CEO of a cigarette company in the 1940s. The head of health comes to him with strong evidence that cigarettes cause lung cancer and are slowly killing their users. What would the appropriate action for a CEO be? Or for the head of health? Is the head of health a failure if he can't convince the CEO that they shouldn't be selling cigarettes? I don't think so. Because the head of the company might care more about money than about giving people cancer, and that is his choice to make.
Yeah, maybe the company may hit some rough times later, but if the CEO just hides this report, then the CEO can keep making money, and maybe the shit won't hit the fan until the CEO is already retired or dead.
Instead of stopping the sale of tobacco and shuttering the business, the CEO fires the head of health. Then, the head of health goes to a newspaper as a whistleblower saying that tobacco causes cancer and the CEO knows about it. In what world is the head of health a failure here?
I agree that cases involving harming people are exceptional ones for which both quitting in protest and whistleblowing should be on the table, but again, those are exceptional circumstances
an analogy in ITSEC would be knowledge of an actual (not potential) ongoing user data exfiltration and hiding knowledge of that
most ITSEC scenarios are not this, but rather a failure to explain why the potential loss of doing nothing is worse than the actual loss of doing something, just like a CRO must explain why the potential loss of not entering a market is worse than the cost of entering it
> In reading Mudges' complaint, it really paints the Twitter leadership (esp. Agrawal) as simply not caring about security enough to do anything about it.
I've worked in 3 Fortune 250 blue chip companies. My experience is that senior management is doing just enough about security to check the boxes that the trade press -- and the consultants they say we should hire -- say we need to check to have enough legal coverage to weather a possible lawsuit.
Given that Yahoo! had their ENTIRE user database hacked, and VISA, and endless other examples of major personal data breaches, and that none of these things ever results in anything more than a slap on the wrist, I'd say that even these paltry box-checking efforts are probably a waste of money.
I don't know how this situation would be materially any different at a "FAANG" company versus a 100-year-old manufacturing company.
Definitely. Twitter seems to have not been doing a lot of standard best practices for a company of their size.
My intent was pointing out that engineers with high level access to their dev machines is pretty common in tech. Not that other controls like policy enforcement are also often absent in tech (esp in larger companies). Hard to know how common that is -- seems unusual at least in big tech.
Many of the Mitsubishi heat pumps work with central ducted systems just fine. I have one (replaced a central gas heat, electric AC system).
It’s just a different air handler but the heat pump was the same as would have been used in a mini-split install.
When cross shopping the Mitsubishi vs Trane, the Mitsubishi was miles ahead. I didn’t even get the most cold weather efficient option (not needed for my climate).
I see a few in Portland and several in nearby zip codes. Hopefully one can work for you. There are different tiers of “diamond” so you can compare if the difference matters to you.
One thing that’s a bit different is the air handler and outside compressor run on one circuit (mine is a 3 ton unit). So there’s a power line between the 2 units. That threw off our city inspector. But it works out nice since I now have an extra 20A breaker free :)
Thanks! Do you have the technical docs with the efficiency curves for the Mitsubishi ducted systems? I can’t find the materials amongst all the marketing.
For reference, here’s what we have: 36KBTU AIRHANDLER/HEATPUMP HI-STATIC M SERIES DUCTED SYSTEM
INDOOR MOD# SVZ-KP36NA
OUTDOOR MOD# SUZ-KA36NA2
It’s a slightly older model as we had height restrictions to work around. This prevented us from getting a newer or hyper heat model. IIRC ours had good efficiency into the 20F range which was plenty for us.
In comparison, the Trane dropped efficiency at 50F and needed heat strips at that temp (so pretty crap).
I found it in their catalog. You’ll need your model or series. After all the specs there were some efficiency/temp tables. It was under Pros (vs homeowner) -> USA -> product support -> catalog -> m and p series.
The conversation we should be having is where are we now, and what is good enough?
Having worked in large scale anti-abuse detection for most of my career (~18 years), the points mentioned line up in the Twitter thread align with my experience. Scaling in this area is hard. 99% efficacy sounds great, until you say 99% out of millions/billions. The amount of FNs ('bad' or unwanted things) is still substantial enough for users to notice. Taking a 229m active user count [1], 99% fake account detection efficacy sets you at 2.2m fake accounts. Looking into tweets/day you've similarly large numbers if you want to look at content detection.
Twitter can most likely do better given the right resources, people, and leadership support (Facebook has similar problems aligning all 3 of those). Once they have those, the open question is how much better they can get. Each incremental increase in efficacy gets more expensive.
To top it off, as detection gets better, you think those abusing Twitter will sit still? Of course not, they'll change tactics (content, usage of hacked accounts, etc.).
I can’t speak for ipinfo, but in comparing free vs commercial data only very basic geolocation by IP is public. This might be due to the IP block allocation (country/region/city) or handy things like ISPs that use geo names in the host name. Many other ranges are opaque blocks or allocated to something like a reseller, etc.
Getting finer grained data down to smaller groups blocks is harder and not public.
Packaging it up into easy to consume (normalized) is yet another layer of work.
* Routsias JG , Mavrouli M , Tsoplou P , Dioikitopoulou K , Tsakris A . Diagnostic performance of rapid antigen tests (RATs) for SARS-CoV-2 and their efficacy in monitoring the infectiousness of COVID-19 patients. Sci Rep. 2021;11(1):22863. doi:10.1038/s41598-021-02197-z
* Currie DW , Shah MM , Salvatore PP , et al; CDC COVID-19 Response Epidemiology Field Studies Team. Relationship of SARS-CoV-2 antigen and reverse transcription PCR positivity for viral cultures. Emerg Infect Dis. 2022;28(3):717-720. doi:10.3201/eid2803.211747
* Korenkov M , Poopalasingam N , Madler M , et al. Evaluation of a rapid antigen test to detect SARS-CoV-2 infection and identify potentially infectious individuals. J Clin Microbiol. 2021;59(9):e0089621. doi:10.1128/JCM.00896-21
* Killingley B , Mann A , Kalinova M , et al. Safety, tolerability and viral kinetics during SARS-CoV-2 human challenge in young adults. Nat Med. 2022;28:1031-1041. doi:10.1038/s41591-022-01780-9
[1] COVID-19 Symptoms and Duration of Rapid Antigen Test Positivity at a Community Testing and Surveillance Site During Pre-Delta, Delta, and Omicron BA.1 Periods. https://jamanetwork.com/journals/jamanetworkopen/fullarticle...