This Tech-Priest Dominus from 2017 is the first 40K miniature I had done in over 5 years. My last army were the Heirs of Vulcan, Mega Man-style Space Marines that I never got around to finishing before I sold the lot during spring cleaning. The new Adeptus Mechanicus minis as well as the hype around 8th Edition finally got me to pull the trigger on more models.
The thing that really hooked me was the change in resources available to hobbyists during my hiatus. The explosion of high production-quality painting tutorials on YouTube, lead by none other than Duncan Rhodes on Warhammer TV, is what really got me excited to paint. I assembled miniatures for Blue Table Painting around 2005 which included conversions fed by their huge bitz wall. But as much as I loved creating a new model, I didn't have the talent for my painting to keep up with my building. This mini became the gateway to my current hobby enjoyment. In addition to finding a Bob Rossian Joy of Painting, I have slowed down the rate of purchase, and I have also worked to level up my painting with each mini. Check out other projects tagged Warhammer 40K for the latest.
The colors reflect the theme of the army. Verdant green on ripped robes with gold sleeves. This ragtag assemblage hates the weakness of flesh, and they despise the plants they're turning into war material for the Imperium. The bottles of unguents keeping them alive are just as sickly green as their robes.
I pushed my skills in terms of layering. At this point, I was doing no wet blending or even palette mixing. Following painting tutorials, I applied a base, wash, base again on raised areas, and layers. The techniques were basic, but seeing the miniature go from grey to painted was transformative. I settled into a routine of finishing a single color through to highlights with this miniature. Rather than base-coating everything (and reaching a featureless mini some people call "the ugly stage"), it felt good to practice basic techniques then iterate on the next color. Before finishing the model, I went back over my novice areas and applied what I had learned. This one miniature taught me so much about the process of painting. If you also have a fear of painting, maybe try painting a squad leader before picking up a squad?
The base is a small circular medallion from a craft bin. The cork and basing material help give it height in the display case without building a whole diorama. The base is painted with drybrushing. I finished it with stain after sanding away any stray brown base paint. The bushes and grass from model railroad supplies.
In 2018, a new job for me meant a new tech stack: AWS. Regardless of how long you’ve been developing software, new infrastructure can make you feel like you're starting from scratch. Jumping from a company with a cold room full of mainframes to somewhere cloud native was a shock, but I've enjoyed learning this wide world of cloud^h^h^h^h^hsomeone elses computer. If you feel like a cloud n00b, this post collects tips and tricks for learning cloud development from zero.
As with everything, pace yourself when trying to understand AWS and how to use it. If you feel blocked, put down one service and try another. I have found my happy path is a mixture of study, practical labs, poking around company infrastructure, and handling support rotations. Each contribute, in the long-run, to understanding the available services and building effective products upon them.
The Basics - AWS Vocabulary
The Cloud - Someone else’s computer. Keep this in mind when learning about AWS. It’s all just servers in a data center somewhere else. AWS may take care of a large or small portion of managing these computers for us, and they charge a large or small fee for the privilege.
Identity Access Management, IAM - Amazon’s method of controlling access and permissions to AWS resources. Users can have multiple IAM roles. EC2 Instances use IAM roles. Policies rely on IAM roles to allow/deny access so you only make resources available to those that need to access it.
Regions - A set of AWS data centers that are geographically related but operationally separate. Resources, accounts and VPCs can occupy a specific region.
Availability Zones - Each Region has at least three AZs. Each AZ is a data center separated from others within a specific Region. Each have independent power, cooling, and compute resources to enable you to add fault tolerance to your applications. If internet connections or power to one AZ goes down, you should be able to launch resources in the remaining AZs to compensate for the outage.
Fully Managed Service - AWS services that are fully-managed handle scaling, replication, fault-tolerance and latency without you needing to consider it. A big one is managed Elasticsearch clusters. All you need to do is specify a few parameters and AWS configures the rest (for the most part). Though you don't have to do nearly as much management, learning how to tune managed services is still up to you to solve.
EC2, Elastic Compute Cloud - Virtual machines you can launch on a whim, using the OS you desire, configuring them as you please. This is the backbone of AWS's successes. EC2 is the opposite of fully-managed services. AWS gives you the box, and you do the rest.
Learning Resources
AWS has a host of resources available to help you to learn what options are available. If you’ve never worked with a cloud provider before, I suggest taking some of their video training for Cloud Practitioner Essentials. Login with an Amazon (not AWS) account at https://www.aws.training/. Some trainings include labs that walk you through how to start your own instances, marshal AWS resources, and build a thing for yourself in the cloud. Pick something that matches your skill and engagement level, or use their workshop syllabus to self-guide training.
One of the best ways to learn cloud infrastructure is by doing. AWS offers a massive amount of services at a free-tier. Small VMs, hours of lambdas, and lots of S3 space can be used to learn a service without paying a dime to Amazon. YouTube tutorials about services often are built specifically to never breach free-tier levels of usage. Take advantage of this if getting your hands dirty helps you learn the best. Various online learning companies have video training and integrated quizzes/tests. Some have labs that rely on the free-tier of AWS so you can learn at basically no charge. If you're learning for work, talk to your manager about supporting a subscription if you have a specific avenue of study you want to go down:
If you’re a book person, AWS sponsors official study guides for each certification they offer. These can go out of date fairly quickly, but even an old version will help you get your feet wet when using a prominent service (DNS is DNS, and a Route 53 study guide will be largely applicable next year as last). Check the public library for a guides that will be applicable even if they aren't current. Find a slack channel at work or speak with experienced engineers. Context from experience can break a logjam of misunderstanding faster than reading the AWS docs for the fifth time.
Certifications
The AWS certifications are not required to work with cloud resources, but they can be a big boost to your confidence. If certifications and tests are your preferred method of study, here are a few lines that have been recommended:
AWS Cloud Practitioner Essentials - Good overview of AWS resources, administration, security, and budgeting. Take this if you’ve never used cloud resources before and want to come up to speed fast. Available as a series of videos with a free online test for certification.
AWS Solutions Architect - This is another broad level of study that can be useful after studying Practitioner. It offers a good overview of current offerings at AWS. You might use some, others not so much. Sometimes it feels like a sales pitch for their managed services, but the curriculum is useful for determining what is possible during the initial phases of a project. The multi-tiered certifications offer a learning path that can scale to your experience and career trajectory.
AWS Certified Developer - A deep dive on developing with AWS, the Developer cert study can be helpful in learning how to build on AWS as a developer. The practical labs and study areas cover some of the same problems you might have to solve every day in taking an idea from concept to supportable, sellable, product. This set of certs is also multi-tiered, and it can scale with your own experience if you feel like you need a fresh challenge.
AWS Certified SysOps Administrator - Another deep-dive learning path that can help understand how to configure, secure, and economize cloud resources. Covers management and tooling available to keep a cloud running smoothly and safely without breaking the bank. Also has multiple tiers of certification.
Note: This post is a part of a series detailing my family's fight with dementia and elder abuse.
It took a long time for my family to recognize the changes that were happening to my grandfather because of dementia. The loss of routine with my grandmother's death caused him to start making questionable decisions. As we atempted to protect him, we misinterpreted why he was acting the way he was. This lead to further alienation as his symptoms grew more pronounced. It is my hope that by sharing these initial stages as we experienced them, we can help others in a similar situation.
My grandparents were always helping someone. When my father divorced, their house was a place of stability. As I grew up, I heard of cousins, friends and others that relied on that refuge for themselves. I never heard of remuneration, there was never a question of space or logistics. They would open a space for those that needed it. A cousin we called Aunt treated them like second parents. Their home was open to my father's friends in his youth, and friends of my brother and me during ours. When home life was rough, we lived there full-time, and they would cart us all over the US for summer vacation. When my grandmother died, my bother and I were gone with families of our own. From our perspective, he lost something he'd always had: a person that needed his help.
For the few months, life seemed to be returning to normal. I stayed at the house a few nights a week to help keep him company, and other family stepped in to pack up my grandmother's things. The past few years had left him increasingly isolated. My grandmother slowed to where she mostly watched TV, and my grandfather noticed this. He would repeat to us his concern about our grandmother with every visit. Sometimes more than once in the same visit. We filed it away as odd but not beyond his typical behavior. A bout with shingles caused my grandfather to stop attending church in about 2010. His own friend group had aged with him as well. His closest friend, a gardening columnist in the Las Vegas area, passed in 2014 as well. He had few visitors outside family. My brother and I were strategizing on what the future looked like. Would one of us move in and help out? What would my grandfather want? In the middle of this period, we started running up against a wall as his compensations started to crumble.
As I was working full time, my grandfather was helping my family (let alone another) with rides to and from school, doctors, and other family appointments. We began to notice that he was less punctual than usual. His driving was less careful. And we would sometimes call him for a pick-up and wait more than an hour while he was unreachable on his phone. We'd finally reach him to find that he was off on the opposite end of town having completely forgotten about the request. Eventually, our family was no longer comfortable relying on him, or trusting him behind the wheel.
As a former handyman, my grandfather was the first person I thought of when my father's wooden gate broke. We loaded it into the back of a truck and set off to see him. When we got there, we worked mostly in the garage, and I noticed my grandfather was wary of letting us go inside. Finally, I went in and met a mother and her child. This was the first time I met Zakeyaha Amacker. I had never seen these people before in my life, but my grandfather claimed he knew the mom through her mother from way back, and that he was giving the children a ride to school. I tried to pry, but he shut me down. They claimed to be Katrina refugees and that they lived close by. I made it a point to increase my presence. He was being nice and had found a way to help someone in the absence of my grandmother. They seemed like friendly and temporary personalities in my grandfather's life. I could not be more wrong.
Starting about 5 months after my grandmother's death, the situation at the house became untenable. The people I met had moved in. The house was a mess with dishes, spoiled food, and trash everywhere. In the preceding months, the only thing I could find on Zakeyaha was an article from the Las Vegas Sun about a double shooting at the Excalibur in 2012, and the only local women that I know of who hang out at the Excalibur in the middle of the day are sex workers. We were afraid for my grandfather's safety, jewelry was missing, and my grandfather, despite assurances, could not tell us what these people were doing here or when they would be gone.
One night in April 2015, I came to find the house vacant. I searched it looking for signs as to who these people were. I found instead stolen credit cards and IDs, cigarette and pot remnants that had clearly been smoked inside the house, and Zakeyaha's things spread throughout my grandfather's bedroom. I did not have time to address these things that night. No one was home, I was alone, and I clearly was in over my head. I took extensive pictures and resolved to talk to my grandfather directly about my concerns.
The whole month of May, I pressed my grandfather on the phone for an explanation to what I had seen. He denied that he knew about any of it, and he swore they would be gone within the week. But the weeks dragged on. I would explain the evidence again, and he would reassure me again. One night, I found the house to be vacant when I had scheduled a visit with him. In a fit, I locked every door and called my brother to come over too. While we were waiting for them to arrive, someone rolled up looking for 'Z' and claiming to sell weed (still illegal in Vegas at the time). A Call to the cops was Answered with amBivalence. In the interim, my grandfather eventually arrived home with Zakeyaha in tow, I refused to let her inside without talking to my grandfather, first, alone. I explained the shady behavior to his face. Finally, I got my grandfather to agree to have her trespassed. The cops finally showed up and took away the person selling weed, but wantesd to stay out of the domestic dispute. Regardless, they did not force us to allow them back into the house. We bagged up her things and took her to a family member's apartment a few blocks away. Whew. What a relief. That was over.
All of this was absolutely bonkers to me. I grew up Mormon. My grandfather took me to church. Old people were supposed to obsess over their grandkids, not look for an entirely new family. I had hoped to move into his house with my family and be there as he aged. Instead, I'm trying to stop strangers from living there. I felt betrayed. Maybe she was a prostitute. Maybe he'd been a patron while my grandmother was still alive. I didn't know what to think. Most importantly, I didn't have the tools to even recognize what kind of cognitive impairment that was starting to take hold.
With dementia, it is not uncommon for families to notice a steep decline after major life changes. Things that seemed fine as they were happening (story repetition, arriving late, and keeping new company, or uncharacteristic anger issues) are signals of damage in their brain, and that damage adds up over time. Know that none of this is because your loved one no longer loves you or just doesn't care. As hard as it may be, try to not take their words personally as you help steer them toward help and safety. In truth, a person suffering from dementia can no longer understand why their anger is misplaced. The brain is a wonderful and plastic thing, but eventually these cognitive changes and reach a breaking point. Often, the compensations rely on family and friends that are alienated by the new behavior. Social deficits creep in but aren't noticed until the spouse passes. Money trouble manifests only after reserves run dry. Anger spills over when they are overwhelmed with social stimuli they can no longer process. These are all symptoms of dementia, and each affected person walks a different path through them.
Dementia is not a normal part of aging, it is instead a distinct decline separate from the most common changes as we get older. Even if your family has no history of dementia, it is my recommendation that you get comfortable with the signs as soon as possible. Begin to take note of behavioral changes as you come across them. If you are your relative's Medical Power of Attorney, you can speak with their physicians directly. Your relative may consent to having you tag along at the doctor where you can voice your concerns and begin working on evaluations that will allow you to bring maximum treatment options to bear.
Beyond the signs and symptoms of cognitive impairment like memory and social deficits, dementia can also change the personality and manners of those it affects. It is common to have a person with dementia alternate between compliance and anger when confronted with difficult topics. The changes to their brain prevent them from processing social cues or events, and they will sometimes revert to fight or flight behavior as a compensation. It was this compliance that was used by Z to put off any talk of their departure, and it was this same compliance that allowed us to have Z trespassed. As my grandfather was more and more affected by dementia, he was angry over perceived slights and chafed at our attempts at seeking help. This was the hardest for us to deal with, and both my brother and I spent many a night yelling, confronting, and crying over someone we had never seen get actually irate. Try not to take it personally as it is not them that is doing this to you. It is the disease.
Through all of this, the Las Vegas Metropolitan Police Department was singularly unhelpful. They will do the bare minimum for you even if there are obvious signs of abuse. They took the guy with weed away before they considered handling the abuse in the house. And their referral to Elder Abuse detectives lead to years of disappointment. They may even prioritize looking at you and what you are trying to do as exploitative and unlawful because they do not know the first thing about dementia or responding to elder abuse. It looks like just one more domestic squabble. Cops are not your friends. Avoid calling them if at all possible. Handle things through family attorneys before syptoms appear instead.
Though we won this battle, we did not have a inkling of my grandfather's true condition. The symptoms were right in front of us if we had been educated enough to see them. It started with small behaviors that we were reluctant to call him on. Eventually, we could not rely on him for previously rock-solid tasks. And this chapter climaxed in discovering how others had begun to manipulate him. It would still be 5 years until we extricated him from their grasp.
During the DEF CON 26 DC101 Panel, someone (probably highwiz) asked one of the n00bs they brought on-stage, "What makes you a hacker?" In the past, it has been used by bad actors as an aggressive question. Thoughtful types and artists have used it as a prompt. But here it was dripping with curiosity. "Why do you go to DEF CON?"
I'm more than a year out from a move that took me far from my hometown of Las Vegas to an adventure into the Pacific Northwest. Budgets, family and time being what they are, I too had to ask myself, "What makes you a hacker? Why should you go to DEF CON, again?" Obviously, moving two states makes it harder to go. Plane tickets are cheap enough in cattle-class, and I'm lucky to have family and friends in town upon which I can rely for lodging. But family illness and obligation are also considerations, and this feeling in the pit of my stomach topped it all off: the idea that I no longer belonged.
Ironically, this security-focused community is affected by deep insecurities. Concerns of legitimacy, competence, and belonging haunt us collectively, as do public examples of snake oil, burnout, and depression. Discussions of Impostor's Syndrome are almost cliche in their frequency. As is the mouth-agape disbelief following one of our rock stars admitting they second-guess themselves. This loose band of social misfits and punks emerged from in our cocoon of BBSes and IRC to be famously dysfunctional. We have had to exorcise #MeToodemons, and our unhealthy relationship with alcohol keeps many away for fear of their own safety. As a late-comer to DEF CON, I have not been personally affected by loss of friends in the community, but there's a reason Amber Baldet gave a talk on Suicide Interventions at DC21. Hackers in my cohort are maturing as well. Some of us are on their third career since the demoscene, and it has veered wildly away from any Information Security role. There has to be something that keeps us coming back to the desert in August. It sure ain't the unmistakable fragrance of Sunday morning talks.
It is a bit of a balancing act to maintain a conference that keeps drawing more and more people. As of this writing, DC28 is scheduled to use almost 400,000 sq. ft. of conference space in a brand new facility. Almost 30 villages with both broad and niche topics have formed, and each is a mini-con in and of itself. Along with this widening scope, there were public and repeated attempts by The Dark Tangent to reestablish DEF CON as a Hacker event and set it apart from the Information Security industry where so many of its attendees find employment. In the past, DT has publicly disinvited the Feds, and the run-up to DC27 saw another public clarification that while individual villages arrange their own sponsorship, DEF CON maintains no corporate sponsors. You can see the push and pull of "What makes you a hacker?" at the highest levels.
And so we approach a new year and a new DEF CON. Since DC19, I've grown with the conference. I started managing Toxic BBQ with the help of friends and this will be our fifth consecutive kick-off barbecue. People just show up to create an inviting space from scratch for anyone that can find it. I won a Black Badge with my son at DC 26 by solving crypto puzzles and have tried to contribute in equal measure since then. And yet there's this nagging feeling...
Ultimately, I've decided the gate-keeping question is not an important one to answer. What I give to and get from DEF CON keeps me going. I'm comes down to a desire to think things I have never thought before. I may not be able to show off like some, but I can gawk with the best of them at the Hacker Carnival. DC28's theme, Discovery!, is right out of my high school years when the internet promised the sum-total of human knowledge at our fingertips and all that we could do once those barriers dropped. Maybe we can celebrate by shedding our insecurities. Just for the weekend.
One of the cocktails hailing from The Office, a speakeasy basement bar underneath The Aviary, this seemed simple to assemble with only one bit of complicated machinery: a sous vide. Also, the presentation alone was intoxicating: a frothy head atop a mauve concoction? Sign me up!
I was able to obtain a chinois at a Goodwill. The strainer and pestle separates juice from pulp and seeds. However, the main ingredient is a clove tincture (fancy word for Everclear infused with clove). This required a sous vide as written. As long as I've heard about them, I have never pulled the trigger on this low temperature wonder-machine (I don't have an instant pot either). I figured it was time to lay that to rest.
There are plenty of DIY sous vide videos on the internet. I settled on one that recommended a rice cooker combined with an industrial 110V AC temperature controller instead of a brewer's setup. The most important part of this setup is the type of heated pot you use. I couldn't use my crock pot, for example, because it had a digital control. Every time the power cut off and then back on, it would not return to heating the pot. My manual-switch rice cooker worked like a charm, however. Then, for $20 in parts from the hardware store and $20 for the temperature controller on Amazon, I had a safe contraption through which to control my rice cooker and keep a pot of water within 2 degrees of a specific temperature for any length of time (perhaps "safe" is relative; use wire nuts and an electrical box when playing with mains, kids; the picture below shows iteration one with no cover).
The clove tincture was dead simple but extremely smelly. $1 in bulk cloves and some Everclear got me a half dropper full of the cloviest drops the ever passed your nose. A word of warning: toasting the cloves is a horrendously smokey business. Do this with a hood on full blast or outside. We had to open all the windows and run for coffee. I already had a vacuum sealer so I dumped the toasted cloves into a bag, poured on the alcohol, and dunked it into the rice cooker for an hour. I decanted the result into an amber bottle with dropper and savored the aroma (which wasn't hard; it was everywhere).
The rest of the recipe was fairly simple. Huckleberries don't come into season until August, so we went with blackberries from Mexico. The syrup came together easy with a few gradually finer strainings. 6oz made 166g of juice. Amaro Averna from Total Wine, Bombay Gin on sale, and Angostura bitters I already had on hand completed the boozy bits. A quick trip through a shaker came out with a pink foamy pour that gradually separated into mauve and foam. The bitters and pepper hit our nose, and the herbal hit of the drink completes it. It's just sweet enough with off-season blackberries to be pleasant without being overpowering. As we drank, we noticed the colors change and aromas deepen. Very fun and dynamic drink.
A second round (can't waste syrup, after all) made with vodka toned down the herbal nature. This will probably be the version I make for myself unless the guests are already gin drinkers. Too close to 'too much' pine. A friend suggested ditching the clove and replacing it by painting the glass with Chartreuse. Either way, this seems to be a reliable cocktail to just have on hand. Freezing berry syrup during their season in 2oz portions and the huge amount of clove tincture I have left over means it will be quick to assemble with a fun story to tell while we shake it up.
One part of a tiki flight, I was recommended to try this this based on the raspberries.
While the recipe as written requires a pacojet, I don't have $5000 just to get deliciously drunk. I tried an ice cream maker to make the slush instead with fantastic results. The instructions say to freeze the mix and rum separately and process together, but a spin in the ice cream maker brought it to just enough slush for a small batch.
The real winner here is the recommended rum. My first "drink until you hurl" experience was with coconut rum, and I've avoided the spirit ever since. The Zaya Gran Reserva aged rum has really caught me by the nose, however. It has just enough molasses to be delicious, and the aging has mellowed it considerably compared to its frat-boy cousin. I'll definitely be stocking this as a rum of choice (unless the book turns up something even better).
Plenty has gone on in the past year. Here's a quick rundown:
- Learned how to quilt. 104 patches from my tour-guiding days on a lap quilt.
- Learned how to Black Badge at DEF CON 26. Shout out to my fellow Murder Hobos, PunkAB, and the entire Dungeons@DEFCON team for this kick-ass experience.
- Learned how to move across country through forest fires and with cats
- Learned how to survive a leg infection possibly from a cat scratch (not pictured; it was pretty gnarly)
- Learned how to not buy board games. I finished a 10x10 (play ten games ten times or more) without buying any new games in between. Moving thinned the collection, but it still takes up an entire linen closet.
Above is Dan Kaminsky's keynote at the inaugural DEF CON China. It was nominally about Spectre and Meltdown, and I thought it was immediately applicable to testing at all levels. Here are some moments that jumped out at me:
On Context:
"There's a problem where we talk about hacking in terms of only software...What does hacking look like when it has nothing to do with software." 1:55
"But let's keep digging." Throughout, but especially 5:40
"Actual physics encourages 60 frames per second. I did not expect to find anything close to this when I started digging into the number 60...This might be correct, this might not be. And that is a part of hacking too." 6:10
"Stay intellectually honest as go through these deep dives. Understand really you are operating from ignorance. That's actually your strong point. You don't know why the thing is doing what it is doing...Have some humility as you explore, but also explore." 7:40
"We really really do not like having microprocessor flaws...and so we make sure where the right bits come in, the right bits come out. Time has not been part of the equation...Security [re: Specter/Meltdown] has been made to depend on an undefined element. Context matters." 15:00
"Are two computers doing the same thing?...There is not a right answer to that. There is no one context. A huge amount of what we do in hacking...is we play contexts of one another." 17:50
[Re: Spectre and Meltdown] "These attackers changed time which in this context is not defined to exist...Fast and slow...means nothing to the chip but it means everything to the users, to the administrators, to the security models..." 21:00
"Look for things people think don't matter. Look for the flawed assumptions...between how people think the system works and how it actually does." 35:00
"People think bug finding is purely a technical task. It is not because you are playing with people's assumptions...Understand the source and you'll find the destination." 37:05
"Our hardest problems in Security require alignment between how we build systems, and how we verify them. And our best solutions in technology require understanding the past, how we got here." 59:50
On Faulty Assumptions:
"[Example of clocks running slow because power was not 60Hz] You could get cheap, and just use whatever is coming out of the wall, and assume it will never change. Just because you can doesn't mean you should...We'll just get it from the upstream." 4:15
"[Re: Spectre and Meltdown] We turned a stability boundary into a security boundary and hoped it would work. Spoiler alert: it did not work." 18:40
"We hope the design of our interesting architectures mean when we switch from one context to another, nothing is left over...[but] if you want two security domains, get two computers. You can do that. Computers are small now. [Extensive geeking out about tiny computers]" 23:10
"[RIM] made a really compelling argument that the iPhone was totally impossible, and their argument was incredibly compelling until the moment that Steve Jobs dropped an iPhone on the table..." 25:50
"If you don't care if your work affects the [other people working on the system], you're going to crash." 37:30
"What happens when you define your constraints incorrectly?... Vulnerabilities. ...At best, you get the wrong answer. Most commonly, you get undefined behavior which in the presence of hacking becomes redefinable behavior." 41:35
"It's important to realize that we are loosening the assumption that the developer knows what the system is supposed to do...Everyone who touches the computer is a little bit ignorant." 45:20
On Heuristics
"When you say the same thing, but you say it in a different time, sometimes you're not saying the same thing." 9:10
"Hackers are actually pretty well-behaved. When hackers crash code...it does really controlled things...changing smaller things from the computer's perspective that are bigger things from a human's perspective." 20:25
"Bugs aren't random because their sources aren't random." 35:25
"Hackers aren't modeling code...hackers are modeling the developers and thinking, 'What did [they] screw up?' [I would ask a team to] tell me how you think your system works...I would listen to what they didn't talk about. That was always where my first bugs came from." 35:45
On Bug Advocacy
"In twenty years...I have never seen stupid moralization fix anything...We're engineers. Sometimes things are going to fail." 10:30
"We have patched everything in case there's a security boundary. That doesn't actually mean there's a security boundary." 28:10
"Build your boundaries to what the actual security model is...Security that doesn't care about the rest of IT, is security that grows increasingly irrelevant." 33:20
"We're not, as hackers, able to break things. We're able to redefine them so they can't be broken in the first place." 59:25
On Automation
"The theorem provers didn't fail when they showed no leakage of information between contexts because the right bits went to the right places They just weren't being asked to prove these particular elements." 18:25
"All of our tools are incomplete. All of our tools are blind" 46:20
"Having kind of a fakey root environment seems weird, but it's kind of what we're doing with VMs, it's what we're doing with containers." 53:20
On Testing in the SDLC
"We do have cultural elements that block the integration of forward and reverse [engineering], and the primary thing we seem to do wrong is that we have aggressively separated development and testing, and it's biting us." 38:20
"[Re Penetration Testing]: Testing is the important part of that phrase. We are a specific branch of testers that gets on cooler stages...Testing shouldn't be split off, but it kinda has been." 38:50
Ctd. "Testing shouldn't be split off, but it kinda has to have been because people, when they write code, tend to see that code for what it's supposed to be. And as a tester, you're trying to see it for what it really is. These are two different things." 39:05
"[D]evelopers, who already have a problem psychologically of only seeing what their code is supposed do, are also isolated from all the software that would tell them [otherwise]. Anything that's too testy goes to the test people." 39:30
"[Re: PyAnnotate by @Dropbox] 'This is the thing you don't do. Only the developer is allowed to touch the code.' That is an unnecessary constraint." 43:25
"If I'm using an open source platform, why can't I see the source every time something crashes? ...show me the source code that's crashing...It's lovely." 47:20
"We should not be separating Development and Testing... Computers are capable of magic, and we're just trying to make them our magic..." 59:35
Misc
"Branch Prediction: because we didn't have the words Machine Learning yet. Prediction and learning, of course they're linked. Kind of obvious in retrospect." 27:55
"Usually when you give people who are just learning computing root access, the first thing they do is totally destroy their computer." 53:40 #DontHaveKids
"You can have a talent bar for users (N.B.: sliding scale of computer capability) or you can make it really easy to fix stuff." 55:10 #HelpDesk
"[Re: Ransomware] Why is it possible to have all our data deleted all at once? Who is this a feature for?!... We have too many people able to break stuff." 58:25
During my second Postman meetup as part of the Las Vegas Test Automation group, we were able to cover some of the more advanced features of Postman. It's a valuable tool for testing RESTful services (stronger opinions on that also exist), and they are piling on features so fast that it is hard to keep track. If you're a business trying to add automation, Postman is easily the lowest barrier to entry to doing so. And with a few tweaks (or another year of updates) it could probably solve most of your API testing.
The meetup covered the Documentation, Mock Server and Monitor functionality. These are pieces that can fit in your dev organization to smoothe adoption, unroadblock, and add automation with very little overhead. Particularly, the Mock servers they offer can break the dependency on third party integrations quite handily. This keeps Agile sprints moving in the face of outside roadblocks. The Monitors seem like a half-measure. They gave a GUI for setting up external monitors of your APIs, but you still need Jenkins and their Newman node package to do it within your dev env. The big caveat with each of these is that they are most powerful when bought in conjunction with the Postman Enterprise license. Still, at $20 a head, it's far and away the least expensive offering on the market.
Since the meetup, I've found a few workarounds for the features I wish it had that aren't immediately accessible from the GUI. As we know in testing in general, there is no one-size fits all solution. And the new features are nice, but they don't offer some of the basics I rely on to make my job easier. Here is my ever-expanding list of add-ons and hidden things you might not know about. Feel free to comment or message me with more:
Postman has data generation in requests through Dynamic Variables, but they're severely limited in functionality. Luckily, someone dockerized npm faker into a restful service. This is super easy to slip stream into your Postman Collections to create rich and real-enough test data. Just stand it up, query, save the results to global variables, and reuse them in your tests.
The integrated JavaScript libraries in the Postman Sandbox are worth a fresh look. The bulk of my work uses lodash, crypto libraries, and tools for validating and parsing JSON. This turns your simple requests to data validation and schema tracking wonders.
Have a Swagger definition you don't trust? Throw it in the tv4 schema validator.
Have a deep tree of objects you need to be able to navigate RESTfully? Slice and dice with lodash, pick objects at random, and throw it up into a monitor. Running it every ten minutes should get you down onto the nooks and crannies.
This article on bringing the big list of naughty strings (https://ambertests.com/2018/05/29/testing-with-naughty-strings-in-postman/amp/) is another fantastic way to fold in interesting data to otherwise static tests. The key is to ensure you investigate failures. To get the most value, you need good logs, and you need to pay attention to your results in your Monitors.
If you have even moderate coding skills among your testers, they can work magic on a Postman budget. If you were used to adding your own libraries in the Chrome App, beware: the move to a packaged app means you no longer have the flexibility to add that needed library on your own (faker, please?).
My father passed late last year, and I made three nondescript urns as keepsakes for family and friends. It was the first time I made a box of any respectability since 2000. I hadn't originally planned to make them when he passed, but making them helped me process things in a difficult time.
I was the responsible party for my father's estate as his wife does not speak English very well. As such, it fell to me to arrange the funeral, notify friends, and start to organize his affairs. I kept it together. The arrangements were made, the bills were covered, and all in a few days. I kept it together, that is, until I tried to return to work. I got ready. I even got in my car to go. But I could not. Instead, I went into the shop and executed a simple design for holding a portion of his ashes.
The material is Indian Rosewood (the same that I used for the magnetic bottle openers). The strong grain made mitered corners a natural choice. I even had enough contiguous grain to try to book-end most sides. I didn't have a keyed or splined miter jig (which could have strengthened the corners), but I figured the lid and bottom would provide a good brace against failure.
Dimensioning the lumber wasn't very difficult; it was the geometry of the corners that caused me real trouble. I left the sides thick to give each box some heft. I eyeballed the lid thickness and shaved down some beautiful figured grain to just the right height (maybe I overshot it a little and had to clean it up later). When I got to cutting the miters, I found that I didn't have any accurate way to match them up. The miter saw was definitely not accurate from cut to cut. I lost a lot of material on the table saw trying to get a canted blade to just the right angle. I finally settled on using my miter sled. I had to cut the sides down a bit to make sure I could make the entire cut in one pass. By the end of this therapeutic day, I had three roughly identical boxes ready for glue-up.
The second half took a few more months to pull off. Uncertainty about the accuracy of the cuts lead me to put the project on hold. Should I delay and try to true then with a shooting board? My girlfriend gave me the most wonderful advice once: when you find yourself rushing a project, put it down and come back later. The parts to three urns marinated on the bench and in my mind for a few months.
A test fit in March didn't seem too bad. The time off convinced me to persevere and get them together. I discovered too late that I mixed up the orientation of the edges. My careful bookends were a jumble on two of the three boxes. However, the imperfect corners and dimensional problems worked to hide the errors amongst each other. Sanding trued up protruding tear-out and splinters without obvious rounded-off corners. Finally, dark stain and some paste wax finished the work of hiding imperfect joints in dark recesses and shiny polished surfaces.
I finished the bottom with plywood. If I had to pick a spot where I'm uncertain about my choices, it's here. Glue is strong, but how will the baltic birch bottom hold up over time? I'm thinking of throwing in some brads there just in case. The bottom served as a canvas whereon I could memorialize my father. I was able to burn the message "Invictus Maneo", the Armstrong Clan (and our ancestral) family motto. Loosely translated, it means, "I remain unconquered."
This entire project was an object lesson in how I'm still learning some of the most basic techniques in woodworking. I need a way to clean up miters that start on the saw. A shooting board or similar has been recommended. Fine adjustments on my existing miter sled might also work. Though it didn't seem too bad once finished, the tearout for certain cuts makes me think I have a dull blade. I'll have to investigate, tune, and try again.
I think I've worked through a phobia of complex geometry. Something my father always talked about is how to hide your mistakes in woodworking. Bookends, miters, and a fitted lid left precious room for that, but I found a few tricks along the way such as meticulous test fitting, blue tape as clamps for difficult pieces, and patience above all. Regardless, I'm looking forward to the next boxes I build. I hope those have a markedly different emotional footprint.
Recently finished painting the Inquisitor Eisenhorn 30th Anniversary figure. As he was one of my father's favorite characters from Dan Abnett's 40k works, he will lead the reliquary squad to guard his urn in my display case! Most of the techniques are standard, but I learned two things.
The first is that faces are really difficult without the right colors. I couldn't get the blending right with the washes and pots I had. The end result was muddy and pale. I touched it up after some research, and he looks better as a result. The hooded eyes ensure that the genetic anomaly called Private Dickard Syndrome doesn't affect Eisenhorn too. A little grey dry brushing on his chin gave him the 5 o'clock shadow and a little depth to match his hair.
The second bit of learning was around highlighting armor. Because he has so little, I didn't get sick of it and give up. The teal shoulder pads were a dream. They are a very simple highlight that allowed me to build up a rich color. The sharp white highlight was carefully applied, and it makes it look shiny without having to apply a lustrous enamel. I like it so much that the rest of the reliquary squad will have this color on their Tempestus breastplates.
Overall, I like one shot characters like this to learn new techniques. And this figure has enough detail to try many more. I particularly enjoyed the base with its cracked emblem and shiny brass.
