Have you ever had a Mai Tai? If you drink, the answer is probably “yes.”
Was it made correctly? The answer to this one is “probably not.”
There is some debate about the origin of the venerable tiki cocktail, I personally believe the original recipe for the Mai Tai should be attributed to Vic Bergeron, aka “Trader Vic.”
This is the recipe:
2 ounces Jamaican rum (I use 1.5 Appleton Estate and a .5 Diplomatico, which is Venezuelan, but it’s damn good)
1/2 ounce orange curacao (Cointreau is fine even though it’s technically a triple sec)
1/2 ounce orgeat syrup (Check Wegmans)
1/4 ounce simple syrup (cane sugar)
Juice of one whole lime
Pour into a shaker with a lot of cracked ice, and shake vigorously. You really want to froth it up in that thing. Then pour the whole thing, with the ice, into a double old fashioned glass. Top with a sprig of mint and one half of your spent lime shell. It’s supposed to look like an island with a palm tree. Look, I don’t make the rules, just go with it.
If this sounds odd to you, it’s because most Mai Tais today are made with a mix, and usually with fruit juices like pineapple, and/or coconut flavorings. Then a pineapple stick with a maraschino cherry is added. I do add the cherry myself, but the original recipe doesn’t call for that, or any of the other stuff. Over the years, it’s been twisted into something commercial, and often looking like it literally came from a commercial.
The “real” Mai Tai a simple drink that takes good, fresh ingredients and turns them into something pretty remarkable. In fact, you might read the ingredients on their own and wonder if this is actually any good, but the whole really is much greater than the sum of its parts.
Once a mix is put together, it can’t be disassembled. It’s OK to use mixes if they’re good, like Zing Zang, but when the mix you’re drinking differs wildly from the original intent of the thing the cocktail was trying to do in the first place, that should arouse some suspicion. The intent for the Mai Tai being that 1) rum can be appreciated and that 2) simple is better.
So what can cyber practitioners learn from the storied history of the Mai Tai? Do things simply, and execute them well. K.I.S.S. “Complexity is the enemy of security,” so too for a good cocktail. We’ve seen broad consolidation of tooling in the security market in 2024. Vendors herald this as a great thing for their customers, and naturally we’ve seen the return of the 2010s-era marketing around visibility through “a single pane of glass.”
I can well see through a bottle of cocktail mix. I have no idea what’s actually inside the bottle, or if it was mixed correctly. Practitioners should be wary of this scheme. A single pane of glass isn’t valuable if you can’t really tell what’s on the other side of the pane, or if the pane only becomes clearer with an additional license. Nothing in security begets more work than tooling, an endless series of options that generate more work for you and more ARR for your vendor.
The “zero trust” marketing from vendors hit a fever pitch about two years ago, then when generative AI became popular, it seemed to all go out the window. Why? Maybe it’s because zero trust is real work, or maybe it’s because good security practitioners can look at zero trust as an opportunity to stop using all of their expensive tooling and focus on basics, and vendors started to realize that too.
Palo Alto has disclosed multiple vulnerabilities in 2024 at a rate I haven’t seen before. Time will tell if this is a one-off, or if it’s because they’ve finally spread themselves too thin. Which is it? Their firewalls were the rum, the services were the syrups, and Panorama was the lime. You knew what it all did. Look at Palo Alto’s website now. Do you have that same assurance today that these parts are still just as effective? What about Crowdstrike? Are all of these features delivering value, or are they a solution in search of a problem, and if so, is the problem “we need to figure out how to deliver shareholder value?”
The fresh Mai Tai is unpretentious and needs no unnecessary adornment or sweetener. Don’t take my word for it, mix it yourself. There is no beverage on Earth more balanced (except for maybe Coca-Cola, which coincidentally also retains its original recipe); it’s sweet, but just so. Tart, but not too much. It is wholly punchy and refreshing. It knows what it wants to do and does it without getting in its own way, which is something security practitioners seem to continuously forget how to do.
It works smart, not hard.
You probably want to limit yourself to two though, unless you’ve got a couple of plates of skewered chicken and crab rangoon. Aloha!
I ran a secret Santa for my distributed friend group this year. It being 2023 and all, I used ChatGPT to do the Santa assignments and generate some creative secret Santa messages, of which it did an admirable job. As usual, more detail is better when it comes to that thing.
Here was my prompt:
Here is one of the results:
Unfortunately as the organizer, doing these things comes with the major drawback of “well, I’m the organizer, so I know who everyone is sending a gift to,” making it only a secret-ish Santa.
There are web-based services that do exactly what I was trying to do with this project, but since none of them have the prerequisite of being a huge nerd, I decided to home-grow my own solution using Python and Ollama, Meta’s free large language model.
I also figured I’d throw some encryption in the mix so the message would actually be a secret, not just to the Santa participants, but to the organizer. So I slapped it together and called it “Secreter Santa.”
If you want to try this thing, you need to be running Python 3, and a recent version, because there is some reliance on the correct ordering/index of lists. That’s something I can change, but this was just a fun thing and a proof of concept. You also need to run Ollama, and there are some libraries you need to import to be able to send the prompt to the LLM and do the cryptography.
Ollama is totally free, and you can download it at https://ollama.ai – it is not as good as OpenAI at handling prompting, which leads to some weird results. I’ll get into that later.
I used a hybrid encryption scheme to do this, since the return from the LLM prompt is an arbitrary length, and you can’t encrypt data with RSA that is longer than the key itself.
How it works:
Organizer collects the RSA public keys from each participant. There are a fair number of free tools online you can use to generate keys. I wouldn’t use them for production, but for testing they can help.
The program runs and prompts for the name of each participant, and their RSA public key, which can be pasted in, which is sent to a dict.
The program uses the random.shuffle()method to assign the participants to each other.
The program sends a prompt to Ollama, which is assumed to be listening on its default port:
The program generates a random 16-character AES key for each participant and uses the key to encrypt the message based on the prompt. The encrypted message is written to a file.
The program takes the public RSA key for each participant and encrypts their corresponding AES key.
The encrypted AES key is printed to console.
Once the organizer sends both the encrypted message file and the encrypted key to each recipient, they can run the “Unsecret Santa” program to decrypt and display the contents.
Unsecret Santa prompts the user for their message file, their .pem (RSA private key) file, and the encrypted key. It does the work for you from there and displays the message.
So, from a pure security perspective, there are some holes here, but it’s still interesting – unless you’re yanking the unencrypted message out of memory before the encryption step, there’s no way to attribute the message to any author, because it wasn’t written by an author, and the sender of the message has no idea as to the message’s contents. There is some element of digital signing that could happen here too, but let’s not get too far ahead.
Anyway, this is where I ran into some limitations of Ollama, where it is just a little too eager to offer its…guidance on things it wasn’t prompted to offer them for.
This result was pretty good but it’s weird to me that it offered specific suggestions as to the gift without being prompted to do so, which is not something I ever experienced using ChatGPT.
In another return, the prompt offered “a hint” that the recipient “loved coffee” and specifically asked their Santa to order their recipient coffee for their gift.
The results of the prompt varied pretty wildly in weird and sometimes funny ways. Some of them include lots of Instagram-worthy hashtags, some are quite formal in nature, and others are only a couple of curt sentences. I recently saw a comparison chart of large language models making the rounds on LinkedIn, and I can’t lend that too much credibility (because LinkedIn) but it did have Ollama at the bottom.
Hi, I’m here. I didn’t reissue my SSL certificate and our life was essentially plunged into chaos, so I just let it go, which was bad.
In 2022 I decided to re-activate my LinkedIn profile and in the ensuing events ended up doing more posts on LinkedIn, when I thought, “hey, I have an actual website that I pay real money for on which I can post things, and then those things aren’t the property of Microsoft.”
So I’d like to do more posting here instead and may cross-post some of my longer stuff that I already wrote on LinkedIn back in here, then I can have two places where I’ve written some stuff that nobody will read.
I have some cleaning up I need to do on the site, my resume has gotten better with a new role and I can happily (I think) say that I’m done with 7/11 classes in my master’s program at Virginia Tech. We also had a daughter, who turns 2 in a few days, and Oliver is 4, which is wild.
We also moved into a new house, which is great despite being also something of a shitshow, though we’re doing our damndest to let it go. The house itself is pretty baller; the last place was just getting too small, so we needed something where each of us could have a dedicated office space.
My hosting package for this site goes through the middle of the year. We’ll see how it goes, I’m considering packing it up and moving it over to something like an Azure static page, but flitting through the WordPress options and remembering how easy it is to use, I may just keep it here.
I had a brief conversation with a friend (hi Brad, again) the other night about SSL decryption. I could tell he was wary of the idea of SSL decryption in the business, and rightfully so!
Your employer breaking open the encryption on your network traffic seems like a huge violation of your privacy. I don’t really have a hard-line stance about this at work – you likely signed away your expectation of privacy on your work network as part of an acceptable use policy – but most companies have some commitment to their customers’ and users’ privacy and it’s a foregone conclusion that people are going to do some personal activities on their work devices. Does that mean your employer has access to all of your banking information? Probably not!
I’m not going to go through every nuance of SSL (TLS) and SSL decryption but will go through what SSL is, how it works, and what I believe a sensible policy should include and why decryption has become such a hot topic lately for businesses.
What is SSL?
Let’s start from the beginning. SSL stands for secure sockets layer, which has a successor, called TLS – transport layer security.
(Going forward, I will just say SSL. The differences between the two are pretty minor and beyond the scope of this post.)
SSL is a cryptographic standard for encrypting data traversing a network, most commonly across the internet. It puts the “S” (secure) in “HTTPS.” SSL uses both asymmetric and symmetric-key cryptography via a public key infrastructure.
Here’s the deal. In the IT world, we usually try to use real-world analogies to explain technical concepts, as if the things we’re talking about somehow do not exist in the real world. Anyway, when you’re talking about cryptography, this is a hard thing to do.
I can’t take full credit for this “one-way box” explanation, but I don’t remember where I read it, and I’m going to add some of my own flair. Imagine you want to buy a car, but it’s the pandemic and you’re at home and you don’t want to spend hours at the dealership with a bunch of paperwork. “No problem,” the dealer says. “Just fill your information into a secure form online.”
Now imagine that the form is a physical item and you have to give it to them in person. (Bear with me.) The dealership has a “paperwork box” to drop the form in. But this is a weird box. It has one opening in the front, and another opening in the back. The back opening is locked with a strange lock with a keyhole, but it’s so complicated, you’ve never seen anything like it.
There’s another weird thing about this box. You put the form in, and it falls out the bottom. Huh? You try again, same thing happens. Then you notice a stack of envelopes on the top of the box, with a label that says “free, take one.” The envelope has some detailed information about the dealership, manager contact info, etc. There’s even a stamp on it from the chamber of commerce** with the business license number, and signed by their representative. Clearly, this dealer really is who they say they are. You put your payment info form into the envelope, and put it in the box. Voila. It’s accepted. Congratulations on your new…I dunno. Tesla.
If you read that and said, in your best The Simpsons Comic Book Guy voice, “sir, there is a glaring technical error in your analogy,” the glaring error being that encrypted data is not encapsulated in “an envelope” but algorithmically altered as to be unreadable in transit, yes you are correct.
But I don’t have a good analogy for this, and I’m not sure it exists. If it does, leave one in the comments!
Let’s break down the analogy into its technical elements, and talk about how this transaction would’ve occurred if you really could send this form electronically to the dealer. You go to the form on the dealer website, and you see the “secure” icon in your address bar, indicating your connection is secure.
Your browser just went to the dealer’s website and got the public key from their web server. This is the envelope with all of the information on it – the public key encrypts the data. Anyone can get the public key. It’s free. The public key has a mate, the private key. The private key decrypts the data, or can open the lock on the back of the box. It would be pretty bad if someone else got that key, so the dealer has taken extra steps to prevent its theft. Theoretically.
You can also generate a key pair whenever you want. “Does this mean I can just pretend to be the dealership?” Not exactly. Remember the stamp from the chamber of commerce? The one with the signature? That’s an independent third-party verifying the identity of the dealer. The web works the same way.
Secure website key pairs are generated in what’s called a certificate signing request. Basically, “hey, chamber of commerce, can you certify that I am who I say that I am, and keep a public record of it?” When the request is approved by a certificate authority, the public key of the pair* is tied to a digital signature, and returned to you as a certificate you can install on your web server. Every web browser is pre-configured to have enough relevant information about the certificate authority (the chain of trust) that the user doesn’t need to take any other action here, just like you don’t need to take any action to trust that your chamber of commerce has accurately assigned business licenses. Neat!
There is a little more to the process. When your browser verifies the certificate of the website, it uses their public key to encrypt some random data to send to the web server. Remember, only the web server can decrypt this data with its private key. This data becomes the session key between both machines. The web server decrypts this session key and returns a message to your browser, as if to say “I can prove to you that I have the key to this box, and I can open it.” Because both parties are now using the same symmetric key, data can go both ways. It’s pretty cool. This process is called the SSL handshake.
Here’s an image of the handshake from IBM. All credit to them.
This technology is really foundational to privacy and security on the internet. You can learn more about the encryption algorithms – there’s plenty of info out there.
SSL Decryption
This isn’t a foolproof process, though messing with it takes some resources. An organization can declare itself a certificate authority for its users, and direct certificates to user endpoints on its behalf. Since business endpoints will trust this enterprise certificate authority as a legitimate entity, the certificates they receive appear to be from the destination they’re trying to reach. This internal-only certificate is (definitely should be) properly signed by a “real” certificate authority.
From here, the decrypting device can act as a “man in the middle” and can proxy requests for secure websites. Because the endpoint trusts the decrypting device, and the decrypting device has (or has immediate access to) the private key, the device decrypts the traffic, inspects it, then forwards it to the real website using the same process we already went over. The real website doesn’t know any better.
So to sum that up, the decryption process necessitates:
1) A client’s willingness to have its chain of trust manipulated 2) The proper certificates to enable the decryption process 3) A device that can facilitate the work of performing the decryption
The question is, why?
Challenges in the Business Environment
Man, getting an SSL certificate used to be a process. In my day (combs neckbeard) you had to pay $20-ish for the certificate, then create the CSR, then upload it, then get the certificate, then there’d be some setting in IIS or httpd.conf you’d have to change, then invariably you messed something up, then you’d have half your site on not-encrypted http and other parts on https, then you’d have to restart httpd, then you’d look at some other thing for a while and forget what you were doing to begin with.
BOR-ING. Now you can just use Let’s Encrypt and certbot to get a free certificate installed on your web server in like a second. BOOM. You’re good to go faster than Sonic the Hedgehog after a pile of chili dogs. Sheeeeeeeeeeeeeeyit.
What’s the most common cyber-attack? DDoS? Maybe, but if phishing isn’t the most common by now, it’s extremely close. So let’s say you have a user base that isn’t the most technically inclined.
What have they been taught all their lives? Green padlock = safe! So when they click on a link in a phishing email, and that link takes them to “their bank” or “the company benefits page” – they see the green padlock. “This is safe” they think, put their credentials in, then they press enter.
For IT security enthusiasts, privacy advocates, and professionals, this truth gets into the range of being pretty uncomfortable. It’d be a reach to say something like “well, if everything is encrypted, nothing is encrypted,” but that’s sort of…we are on that bus. Don’t get me wrong, I think Let’s Encrypt is an amazing project and will continue to do great things for the internet. But encryption is a tool, and tools can be and are used for harm, and the people who stand to be the most harmed by it are not C-level executives, but employees trying to do their best. There are indisputably personal and professional impacts to people acting in good faith but affected by cyber threats.
If C&C traffic, malware traffic, and phishing websites are able to operate/communicate in a way where researchers and defenders have no insight into them, I’m worried about what that means for the next conversation we have about encryption at large, so businesses having sensible, practical, people-first decryption policies is a decent set of brake pads we can put on the bus.
Sensible Policies
Back to the concern about banking. I believe all decryption devices are able to selectively apply decryption, and if you are looking at a device where that is not an option, please look elsewhere. The engineer who is configuring your decryption should be able to put sites like https://bankofamerica.com in their decryption exclusion list, where the enterprise certificate authority is not used to facilitate an SSL forward proxy, and the chain of trust is not altered for that session.
After you’ve reviewed the legal obligations in your area about encryption, and had a conversation with HR and your leadership team about the go/no-go, consider the way you’ll implement your policy on the whole, and how it can add value to your business without completely betraying the trust of your users. Remember that the practical applications of cybersecurity are, first and foremost, value-oriented activities. Consider the messaging you provide to your teams and stakeholders.
What sounds better to you?
“Beginning Monday, we will be implementing web decryption on our network. We expect you all to sign new acceptable use policies regarding the use of this new technology.”
“Given the recent expansion of email phishing, ransomware, and malware attacks on organizations across the country, we’ve decided to implement web decryption to keep our business assets and users safe. We’ve worked with our partners to come up with a deployment solution that only targets suspicious activities and have attached updated documentation that explains what this means for you.”
Have a strategy. Vendors are more than willing to work with you on this, because of the increased processing requirements for decryption, it’s often an avenue for them to make another sale. Palo Alto Networks has a very helpful page about coming up with a decryption strategy for your network, even if you don’t use their products.
Leverage your synergies.*** How does your decryption device fit in to the rest of your network? Is it a firewall? Can you set up your decryption based on existing URL categories? For example, you might decrypt on “unknown” or “web-posting” (think pastebin) but not decrypt on “banking” or “ecommerce.” Are there any data loss prevention or credential theft features you can also take advantage of?
Be transparent. You are indisputably taking privacy away from your users here, even if they know they don’t have an expectation of it. You owe them a thorough explanation of the process and how they may be affected. What websites are you decrypting on? What was the business justification for decrypting that website or category?
I hope that’s a helpful primer to SSL, decryption, and why we’re seeing more and more of it at scale. Having to implement this technology in the business is a nose-holding endeavor, but I do see it as increasingly necessary as the majority of the internet goes secure and we see the continued proliferation of cyberattacks. If you’re leveraging this in your organization, how’s it going? Let me know in the comments.
*(The private key is too, because the public and private keys are inextricably linked, but the certificate authority doesn’t need your private key to generate the certificate. In fact, don’t send the private key to them. Don’t send it to anyone. Seriously.)
**(It has been pointed out to me that this is not actually something a chamber of commerce does. This is why I am a technologist and not a businessy businessperson. INTERNET: SERIOUS BUSINESS.)
**(Did I really write these three words?! In a row?!)
I remember the first CD I purchased. It was actually two CDs. One was Chumbawamba’s Tubthumper. The other one was Daft Punk’s Discovery.
There used to be a music store in Fredericksburg, The Blue Dog. They were known for being able to procure pretty much any CD or vinyl you could want, back when that skill had value. My dad had a lot of love for that store – you could ask them to crack open pretty much any CD you wanted, and they’d do it, and they had a listening area – a try before you buy – with some expensive cans and multi-disc CD changers, and leather couches. It was cool.
I was not cool. I was an awkward 14-year old with a blue Sony Walkman CD player stuffed haphazardly into the pocket of his cargo shorts. But I did buy some CDs, and I did have (plenty of) cargo shorts to fit them in, and I do remember buying Discovery, with its weird liquid metal album cover.
At that age, I didn’t know what electronic music even was. But this was great. A literal “discovery” of an entire genre of music I had never even heard of. Every track meant something. Every pulse, untz, and blasting synth. I couldn’t tell you the number of times I’ve listened to Discovery, and (like many nerdy teenagers) fell into the allure of Interstellar 5555, the trippy concept anime based on the album. Most other people I knew listened to other stuff. I have never been into other stuff. But I was always into Discovery.
When I was 16, I went to a youth tech program in California. It was basically a week-long camp for computer-y people about how they might become a CEO, or something. This was when Silicon Valley was a thing, but not a thing that you could make a TV show about and have people think it was funny. It was just a place where you could go to work if you were a smart person, so I’m not sure why my parents decided to send me to this thing. As part of this event, you could take a tour of some companies in the Bay Area. One of the options was Apple, so I went on a tour of the Apple campus.
No visit like this would be complete without a trip to the Apple company store. I remember buying a t-shirt with a grey Apple logo on it. I also bought (to the disdain of my parents, who funded this trip with a debit card) a small, white box with four buttons on it called an iPod.
“You bought a what?”
In these times, of course, you couldn’t get anything wirelessly, so I got some weird electronic music from a friend (hi Matt) by plugging the iPod into his laptop and taking whatever he had.
(Incidentally, that music ended up being, mostly, that of Neil Cicierega, whom you’ve heard of if you’ve heard of Harry Potter Puppet Pals.)
As soon as I got home from California, it was my life’s mission to get Daft Punk on this thing. Blue Dog was old hat at this point, so I pulled all of the songs off of Discovery (remember “Rip, Mix, Burn?”) and turned to the nascent iTunes Music store. That next year, Pepsi had a promotion where there’d be a code for a free song in the cap of every nth bottle of Pepsi, and if you looked up from the bottle upside down just so, and you tilted the bottle just right, you could see if you had a code. I bought a lot of Pepsi, and redeemed most of the codes for other Daft Punk albums.
Daft Punk always persisted. In college I had some money, so I bought Human After All from the iTunes Store and downloaded it onto my iPod. Human After All wasn’t and isn’t as good as Discovery, but it still had some bangers. I figured out ways to sneak Daft Punk songs onto mix CDs, and give them to girls I liked. This was a thing you did. Or I did. But it worked in High Fidelity, so.
The iTunes Store had stopped being so nascent by this point, and had become the powerhouse for buying music and downloading it to your iPod. The Blue Dog had closed.
Around 2006, Daft Punk announced they were going on tour, and releasing an album of the tour, Alive 2007. I bonded with one of my best friends (hi Brad) a great deal about Daft Punk and this album. An incredible production, though my age has made it sort of a tiring listen – it’s just so damn loud. Brad loved Alive 2007. It became a hallmark of the late 2000s that Brad would drive around College Avenue in Fredericksburg in his orange Mitsubishi Eclipse convertible, blasting it as loud as it could possibly go. You could hear Brad and his rolling disco from half a mile away.
Things blur a bit here. Alive 2007 wasn’t much of anything new, more original mixes of their existing stuff, but turned up to 11. I had long since moved on from blue Walkmans and iPods and was in a blue Civic Si, a fun car that had a CD player – cars today don’t even have CD players anymore. I had moved on to using Spotify, and moved up to Boston where I met my now-wife.
Then, when I turned 24, I heard that there was a Daft Punk movie coming out. It was called Tron: Legacy. I think Tron: Legacy is actually a fine movie. The soundtrack was the first truly original stuff from Daft Punk in a while, and it was mostly great – though there are some tracks in there that they had to make for the movie, and they don’t really sound like Daft Punk. By and large, though, it was solid stuff.
And they are in the movie!
I was at work when the teaser for Random Access Memories dropped in the form of a clip from“Get Lucky.” This was classic Daft Punk sound. The most Daft Punk of Daft Punk-ness, without Disney’s meddling. Then the album launched, and people were…confused.
Random Access Memories has gotten better with age. When I first listened to it, I thought it was weird. It was Daft Punk, but a new direction. Unafraid of the consequences, they made something they knew wouldn’t be for everyone. A concept in the same vein as Dark Side of the Moon. Less iconic, but certainly a grand work of art, and it did win the Grammy for Album of the Year in 2014. In retrospect, I know better now – that its old, weird sound, evocative of the late 70s and into the 80s was the point. It was eight years ago, but it’s easier now to look back on Random Access Memories and see it as album created in Daft Punk’s twilight. Maybe they saw it, too.
They’ve done some work since then – I remember hearing The Weeknd’s “I Feel it Coming” for the first time and saying out loud to my wife, “hey, this sounds like Daft Punk,” and she says “it is Daft Punk.” Because really, only Daft Punk sounds like Daft Punk. And sure enough, they’re in that music video too, as alluring and mysterious as ever.
I heard about the news today from none other than Brad. His text read “love is over,” with a link to the Pitchfork article.
“Daft Punk Break Up”
I watched the Epilogue video they put up on YouTube, where one of the duo decides to have the other activate their self destruct sequence. (Is that one Daft, or is that one Punk? Or are they both just what they are? Are we all Dafts and Punks?) Funny and bizarre, and a little surreal.
Then, the chorus from “Touch” comes into the focus through my headphones, and as it rises and falls, I feel my chest tighten and ache, the emotion comes to my eyes. Grief. The song cuts away, and I am left in an existential ennui. A reflection of my own self through music that’s been with me well into my adult life. A reflection of changing times and changing technologies. No more.
When you get into your 30s, you get to be old enough to lose things you care about. (Chumbawamba is gone too.) As time continues its inexorable march, the more of that lost stuff you hold on to. I remember the long road trips in my dad’s pickup truck to my grandfather’s old house in Pittsburgh, listening to The Doors, and my mom’s “cleaning parties” where she’d listen to Blondie. I am one of those people now, another one of the olds, still listening to “Aerodynamic” and “Human After All” and even “Around the World.” The gen-z’ers are already old enough now to realize that their elders are wrong and bad, as is the way of the universe. What will my son say about Daft Punk when he’s old enough to have a real opinion? “Dad, this is crap.” Maybe he’s right. Maybe everything we hold on to is just nostalgia, the idea of the thing. Like an ex-girlfriend. I hope I’m wrong about that, and that there really is something timeless to Daft Punk’s sound. We’ll see.
“If love is the answer, you’re home. Hold on.”
My son retreats into his iPhone 17, listening to the latest from whatever genre the music industry decides to remix from the past. The phone knows what he wants to listen to before he does. Meanwhile, Taylor Swift, greying, plays an intimate but sold-out show at The Birchmere. I get into my family-hauling vehicle and press the start button to the hum of the electric motor, and I ask it queue up Discovery. One more time.
This is one of those posts that isn’t that long, but since I have some aversion to Twitter threads I didn’t want to turn it into some “1/n” thing.
I’m going to start by talking about network requirements, even though that’s not really what this post is about, because network requirements are interesting and topical. The “new normal” has created some considerations/constraints on resources that most organizations don’t usually have to contend with, like “how do we deliver this service reliably to people who are hundreds of miles away and to people in our office at the same time?” At my place of employment there has been some discussion about network requirements and bandwidth needs for schools implementing hybrid learning; a school running teleconference equipment with teachers live-streaming their classes has greater network requirements than a school that doesn’t.
The typical solution to this problem is simple: overprovisioning, or buying more bandwidth than you think you would ever possibly need. For an organization of means, this is a fine solution, although inelegant if you subscribe to the systems engineering principle of “free capacity is wasted.” However, bandwidth is relatively cheap, and future use cases are hard to predict.
The typical thought process for capacity planning is something like “if I have 10 users who need 100mbps each, I need a 100mbps connection.” That’s wrong for a number of reasons, but most obviously, it assumes each capacity-consuming entity is using 10mbps all the time, which they almost certainly are not, even in 2021. However, there are other factors in play, and networks are bottlenecked all the way down to the endpoint.
This is actually interesting stuff; if you want to get into it, you have to dig a bit. I wanted to freshen up my memory on it, so I decided to do some of that.
I was fairly disappointed in what I found, which is an increasingly common feeling I’ve been having using Google. Google is becoming less and less useful, partially because I’d consider myself mid-career at this point, and I know what I don’t know. But Google as a tool is increasingly becoming a victim of the things that make it a viable product in the sense of “we have this thing and it needs to generate revenue.”
Anyway, after reviewing multiple sources, I found out that a pioneer of doing “network math” is William Stallings, an MIT-educated author who has written many books about computer science and systems engineering, and he writes about calculating network load in his book Local and Metropolitan Area Networks, which appears to have been last updated in 2000.
Bandwidth was not cheap in 2000.
My source for this information ended up being a Cisco Press text – Top Down Network Design – I accessed via my O’Reilly subscription. The O’Reilly subscription is an excellent and comprehensive technical resource. A Library of Alexandria, but for neckbeards. It is also $499 per year if you are an individual – I’m fortunate enough to receive a subscription to the service through my employer. Some libraries may offer it as well.
Google would have you believe that network capacity planning is a problem that can only be solved if you are one of many vendors leveraging inbound marketing and optimized SEO to provide your viewer a surface-level understanding, with maybe a smattering of technical information, of the content they are trying to understand. If you do a Google search for “network capacity planning” (without quotes) – of the first 10 results, 9 are vendors. On the second page, I get this result:
It looks like this would be pretty good, but (like many SEO-optimized inbound posts) it’s not really a “guide to bandwidth capacity planning.” More like “a list of bad things that will happen if you don’t pay us to do this work for you.” (God help you if you need to do work on your house and you search for something.)
What this marketing vehicle provides can be pretty informative, and is often engaging, but is not really a path to understanding, more of a path to purchase. To be clear:
I understand this is a valuable business practice, and some of this content is truly useful. Compared to the advertising of the early web, inbound marketing is much less sinister. It’s also easier. I used to ask vendors for whitepapers all the time. The information here is no different.
Most people are pretty good at knowing when they’re being sold something, especially when given time and space to read and reflect on it.
Almost all vendors set up the next step of the engagement for you, which is usually getting ahold of someone inside the sales organization of that vendor.
So what’s the problem? Getting paid is good. I guess.
The early internet was created and used for supporting defense programs and research institutions. A place where knowledge existed for the sake of knowing it. Like many things, capitalism has turned this model on its head. Rather than looking for information, many have leveraged the internet to placate an algorithm they don’t really have any meaningful control over, regardless of the quality of their content or its factual accuracy. The marketplace of ideas has become…a marketplace. The impressions seem to matter, the SEO, the algorithm, but little else. Whatever draws your eyeballs the fastest, not the best. This is dismaying, and has made Google less useful – which of course it would when you consider Google’s incentives as it acts as a mediator in this exchange.
Then, if you actually want to get to quality information, you have to pay for it, behind a paywall or an article limit or a subscription, like the one I used to eventually find the information I was originally looking for. I have some sympathy for publishers here as much as I have disdain, because quality content takes time, effort, and resources to create and distribute, and that effort should be rewarded. At the same time, these controls over information enable questionable content (in accuracy and intent) to thrive, for free. I don’t know what the solution to this is, because this problem seems intractable, but I imagine the solution will include free or mostly free access to the internet at some point.
Maybe this is all one big nostalgia trip for a bygone era, where we sat wide-eyed at our desks in college and embraced the quirky and unknowable “Web 2.0.” Before the machines of capitalization and monetization repaved the information superhighway into a toll road, adorned with billboards of the highest bidder. Garish, wide, a sort of subliminal horror. As I look in the rearview mirror, I wonder if this is the best we could’ve done.
In trying to be at the forefront of my K12 org’s cybersecurity effort, I’ve observed a lot of…stuff. Some of that…stuff…and how to make decisions around it has been interesting and eye-opening, because working for K12 presents some interesting and unique constraints that don’t exist in other organizations, the largest constraint being that students are children and you cannot fire them. Damn.
Some of what I’ve observed is in line with what you see in any org, and some of it is in line (or just par for the course) for what you see in very large orgs, which is what Arlington Public Schools (for whom I do not speak) is. A very big organization. Some of what I’ve seen is highly technical, but a lot of it, and I think this is generally true in cybersecurity regardless of org size or mission, is nuanced and related to how people behave and what we as technologists can do about that.
Which brings me to content filtering.
Let me back up. Handling a request for content filtering, which is “subject cannot go to this URL because reasons” is part of my duties as a K12 technology person. But let me be perfectly clear about this: content filtering is not cybersecurity, although well-intentioned people like to pretend that it is. Nowhere does “xyz is a distraction from learning/working” fit into the CIA triad. “But what about malware/phishing/etc websites?” These websites should be blocked – per a comprehensive security policy – because there’s a risk-based, technical reason to block them. But malware is malware. Phishing is phishing. Content…is internet content, or a thing you want to see on the internet that does not pose a technical risk to the organization.
If I haven’t convinced you, consider where your org’s content policy comes from in relation to its cybersecurity policy. I, as a security professional, may get a report of a website people are using to download torrents. I’m going to block that website because torrent sites are full of active threats, among other legal risks for allowing org members to seed torrents. But I wouldn’t decide to block, say, https://spotify.com, and if I did, it would likely go over poorly.* On the other hand, the CEO of a company might decide to block Netflix because it’s a “work distraction,” even though it doesn’t pose any cybersecurity threat. I’m engaging in cybersecurity, the CEO is engaging in content filtering.
This is actually how it works in my organization, and also for Fairfax County Public Schools, and probably others in this space – from FCPS:
“Only Instructional Services, through their curriculum committees, can determine which general categories to block.”
The cybersecurity team doesn’t make the content filtering policy, which is basically that we have a (reasonable) legal requirement to filter some content, plus an amalgam of loosely joined, well-intended opinions (in other words, a committee) that are melted down, cast, and cooled into a policy.
About that legal requirement. It mainly comes from the Children’s Internet Protection Act, or CIPA, which requires some content filtering on school (K12 only) and library computers in order for those organizations to get preferred pricing on equipment and internet service. It’s pretty specific, but the gist of it is 1: kids cannot look at “obscene material” (porn) on their computers (and the act very narrowly defines porn as something that must be visual, e.g. an image) and 2: schools must have a policy in place to teach kids about being safe on the internet. That’s it. It is a reasonable regulation.
There is another piece of legislation, the Children’s Online Privacy Protection Act (COPPA), that basically governs what information is collected from kids under 13. This rule is problematic in its enforcement and the FTC is “giving it another look.” Basically, online services are limited in what they can collect from kids under 13, which is problematic for them because it makes it hard to do targeted advertising. Most online services’ terms of service expressly forbid children under 13 from signing up for their services, but we all know how effective those terms of service are. There isn’t much of a relationship between CIPA and COPPA for content filtering, but the “13 years old” part is worth noting for reasons I’ll get into in a bit.
OK. So here we go. We have to filter on “adult content” – that seems OK – and we prevent threats to the org with a cybersecurity policy – that also seems OK. But if you’ve used your child’s device at all, you’ll know that way more content than this is filtered out. Why? And what’s the outcome of these policies compared to their intent?
When I was in school, a technologist could have written this post about how content filtering was simply ineffective. You’d try to block…some category of site, say adult content, and you’d end up blocking a bunch of safe sex education or whatever. I don’t think that’s true now, and the actual URL filtering we use (Palo Alto‘s) is pretty effective, and gets it right most of the time based on categories and dynamic updates. But this isn’t 2004, and the nature and method by which students access the internet and what opportunities exist for children on the internet have radically changed.
I didn’t get a cell phone until 2006, and it had 0 internet capability – it was “just a phone.” Now everyone has devices, and if they don’t have one, they will. I have opined at length in other online spaces about how all schools will be 1:1 device schools whether they want to go that route or not, not because of the pandemic (though that has certainly accelerated things), but because educational content providers (textbook publishers) have a lot to gain from simply providing a school district (or college, frankly) with a chromebook for each student included with a content subscription that can be updated at any time and integrated into an LMS. There is real value there as opposed to printing new editions of heavy textbooks year after year and reckoning with the used textbook market. But I digress, my point being, if your child doesn’t have a school-issued device yet, they probably will soon. From the practical perspective of access to the internet, content filtering is really the only difference between a school-issued device and a personal one.
I’m going to pick on my own school district for a minute, because I think this is a particularly heinous example – but my school district blocks YouTube for K-8 students on their devices. The stated reason for doing this is something like “because YouTube’s TOS doesn’t allow children under 13 to use its service” – which is nonsense, because if this standard were actually applied evenly (including to sites like vimeo, which is not blocked but has the same verbiage in its TOS) they would be blocking like 80% of the internet. Anyway.
What is “the thing” a student loses by not being able to go to YouTube, or Vimeo, or any other video site that a school district decides they are going to filter out? Well, it’s a bit of a trick question, and the answer is that most of them don’t lose anything, because they have cell phones. They have had YouTube the entire time.
If they can afford it.
I took a look at VDOE’s most recent spreadsheet for how many students in each school district are eligible for free and reduced lunch (FRL) In Northern Virginia, with Alexandria City Public Schools at 59%, Arlington Public Schools, Fairfax County Public Schools, and Stafford County Public Schools at about 30%, Prince William County Schools at 42%, Loudoun County Public Schools at 18%, and Falls Church City Public Schools at 7%. These numbers, combined with the mission of these districts’ 1:1 device policies essentially being an equity one – “to close the digital divide” – make it pretty safe to assume that a significant number of students don’t have access to technology either at home or in their pockets. For many of them, their school device is the only device they have.
So a school district says – and let me be clear here, that I am not only picking on my district, and that I do think these policies are made with good intentions – here is a device with an internet connection, and we are going to filter the content on it and celebrate our victory over “distractions” and “inappropriate content,” but we know, because we put the program in place, that large equity gaps exist in our communities and can deduce based on real data that these content policies are mostly affecting minorities and the underserved.
I find it hard to have an honest conversation about equity in schooling when we agree that “equity” means “equity of opportunity” when, by overreaching on content filtering, we are depriving the community of people we’re trying to help of the opportunities to grow and learn more. To be sure, there is harmful content on the internet, but determining a standard of “harmful” outside of the obvious (already discussed) is…not really our job as people who work in K12.
(I could write an entire post about how denying access to one harmful resource simply motivates the subject affected by that policy to find their content somewhere else, potentially more harmful, but I won’t even get into it here.)
Consider what capabilities a person with access to YouTube (for example) has compared to a person who doesn’t have access to YouTube, even in YouTube’s beleaguered “Restricted Mode” for K12. If you wanted to know the history of the Cold War, you can know it in minutes. If you want to learn about language, you can. If you want to see the news, that’s there too, and in multiple languages. If you want to become a content creator, you can record a video and publish it, even monetize it. YouTube is not some golden arch through which you will find salvation, and it has a lot of well-researched, well-documented problems, but let’s not make everyone who uses it a victim of “distraction” when the real victims are the people who, by no fault of their own, don’t have phones with data plans or personal devices at home and can’t get to the videos at all. Let’s not pretend that monitoring YouTube content isn’t a weight that literallyevery parentwith an iPad has to bear once in a while in exchange for a few minutes of peace. And there are many K12 districts that block YouTube without considering how they are blocking a technically safe, scalable platform for learning and freedom of expression for lower income families.
Consider also the filtering of online messaging, which many school districts do. It’s a thornier area than YouTube, but consider again who is harmed by blocking a website like Discord. If you rely on Discord to keep in contact with your friends, and you don’t have a phone, you’re worse off than your peers who do. Making students aware of the pitfalls of online communication and providing them the skills they need to become good digital citizens is a harder ask than “well, let’s remove access for everyone” – but it’s the ask we should be answering. Every company is a software company. Every org is a digital org. Remote schooling is here to stay. These skills are more important than ever.
I’ll leave with one last example, and the example that inspired me to write all this up. Earlier this year I was asked via a parent to block a business simulation game called SimCompanies because it was “a distraction.” I took this and understood it to be in good faith, but I played the game a little bit, and stepped out of my lane on it by objecting to the decision to block it. It is a fascinating and pretty deep game from which one could learn a good deal about economics. It was advised that the block remain, and I consulted our firewall vendor to change the content category to the game from “business and economics” to “games.” They refused. I showed the game to some friends – one told me I could probably learn more about business and economics from playing this game than anything I could learn in school, and I agreed. Most school districts would pay top dollar for an educational resource disguised as a game, yet here it was, and the kids were using it, and it was free. But we have the opinion from one parent affecting the filtering policy of 27,000 students.
I think we can do better.
To quote one of my favorite lectures from the game designer of Loom, Brian Moriarty:
“If super power is what people really want, why not just give it to them? Awesome things don’t hold anything back. Awesome things are rich and generous. The treasure is right there.”
School districts need to revisit their content filtering policies. They need to do it through an equitable lens with the understanding that good access to the internet is still, inexplicably, a privilege reserved for those who can most afford it, and that devices for privileged families are ubiquitous while the devices given to them by their school districts are hamstrung by misguided policy. This notion that video websites, social media, online chat, and games are a constant source of distraction for students simply cannot be true when we have an achievement gap correlating with race and socioeconomic status. Districts need to do the hard thing by bringing in community leaders and experts to help train children on the benefits of good digital citizenship and data ownership. Give the kids the treasure. And let’s empower parents by innovating new ways of making school-issued devices compatible with home internet filters.
Reasonable and prudent filtering is OK and good. As obscenity goes in this country, you know it when you see it, but turning people into leaders starts by giving them access to the opportunities and tools they need to grow into the goodness of leadership, not taking them away because we said so.
*I bring up this example because this actually happened to me. Back in the day, Spotify used P2P technology in its application (I believe it no longer does) – the security team on the org thought it’d be a good idea to block Spotify. It got to the CEO, the CEO got upset and overruled us.
Full disclosure: I am an employee of Arlington Public Schools, a K12 school district in Virginia. These thoughts are my own and not of the district or any school.
Two weeks ago, our (then) interim Superintendent distributed (to the public) a presentation about various scenarios of schools reopening in the fall. The scenarios are basically:
Open schools normally, which they say is the “least likely” scenario.
Open schools “sort of” with social distancing guidelines in place and reduced class sizes, a hybrid of distance learning and not.
Open schools with full distance learning, which is described as the “likely” scenario.
As time goes on, and the COVID-19 pandemic abates, and we are engaging in a national discussion about the many parts of systemic racism, and how inequitable access to learning opportunities feeds that beast, I have no idea how we are going to start school with distance learning, or if we can even really consider that a viable option anymore.
Virginia is Reopening Rapidly
As the health metrics for COVID-19 improve in Virginia, the state is continuing its reopening process – we are currently heading to Phase 2 of reopening as defined by the “forward Virginia” presentation from the Northam administration and the Virginia Department of Health. From the presentation, Phase 2 is to last 2-4 weeks or more, which liberally puts us at July. Phase 3, which is more-or-less a return to regular operations, is “10-12 weeks away, or more” – but my interpretation of this is to mean 10-12 weeks away from Phase 1, which is already ending or over for most of the Commonwealth, so we are talking about Phase 3 starting right when school would start.
Risk Consideration
Looking at this timeline, the case for full distance learning seems pretty weak when we consider:
The economic impact to at-risk communities of children staying home for distance learning.
Here is the situation: we already know that Black and (especially in Arlington) Latinx communities are disproportionately affected by COVID-19. They are also disproportionately affected by unemployment. They are also (again, especially with the Latinx community, and especially in Arlington County) disproportionately affected by unemployment directly from COVID-19. The children of these communities are the ones who are most likely to receive free or reduced lunches, have no or inferior access to the internet, and are the reason school districts like Arlington’s have an office of equity and excellence.
What about the children?
How do we educate this community equitably when the parents of these children, who have lower-paying service jobs in industries that have been the hardest hit by COVID, are offered their jobs back? The additional funds from the CARES act are slated to expire at the end of July, and when September comes around, Department of Labor guidance isn’t clear on what happens next for primary caregivers of children in the 2020-2021 school year:
“A school is not closed as a direct result of the COVID-19 public health emergency, for purposes of 2102(a)(3)(A)(ii)(I)(dd), after the date the school year was originally scheduled to end.”
Does “the school year” mean 2020-2021 school year as well? If districts move forward with a hybrid opening, this would seem to not apply. It would seem like it does apply for families if districts go fully distance learning, but again, this is after CARES act funding runs out, and $378, the maximum unemployment benefit in Virginia, does not go very far in Arlington.
This is while children of wealthier white parents, who have more of an ability to work from home and have more flexibility to hire caregivers and private tutors, have more opportunities to access a quality education during a full distance learning scenario.
The issue of child care (school) and faced with the prospects of being out of work without access to financial benefits, especially for minority and at-risk communities, seems untenable. It also seems unlikely that we will be able to get children to follow social distancing guidelines.
Our options (assuming a vaccine isn’t completed before September, also not likely) seem to actually be:
Reopen school as normal, and do our best to follow social distancing guidelines, and accept the risk of COVID spread.
If we do distance learning, greatly expand financial and unemployment benefits to families of at-risk communities, which is not something a school district has the ability to do, and with Fauci now calling for schools reopening, seems almost an impossibility.
Neither of these solutions seem good. I don’t have the answers, but we need to be talking about this and figuring it out – quickly.
Note: I started working on this post before the killing of George Floyd, and took a break from it to get some of the included video content. In the events of the last week, it feels like the national conversation has shifted from talking about COVID-19 to police overreach and the Black Lives Matter movement. I don’t address that in the post and I don’t feel like it’s appropriate to talk about with my “hurr durr video games” content, so I leave the original post unchanged.
I decided a few weeks ago that my COVID “support the economy” purchase would be a gaming laptop. I’d been interested in one for a while and with no other way to play Half-Life: Alyx, I figured it’d be a good time to spring for one, seeing as how there is little else going on during my copious free time, except for blogging, apparently. Oh, and yardwork.
I ended up getting a higher-end model of the Alienware m15 R2, after I figured out I could stack a fairly generous $600 off discount with an education discount and a 10% off promo code. All this to say, they just spec’d and are on the verge of releasing the Alienware m15 R3, but that’s how it goes with gaming gear.
I haven’t owned a gaming PC since I built my own, but that was back in 2013 when Ashley and I lived in Boston, and I picked the parts up from the Micro Center on Memorial Drive. Since then I’ve only owned consoles, and when I fired up the Alienware I was pretty blown away by the performance. They’re not even paying me to write this!
Since deploying games as a service seems to be going mostly pretty well for publishers and consumers, the obvious play was to download some games from my pre-existing Xbox Game Pass Ultimate subscription, and while I was at it, I signed up for Origin Access.
But what games do you play during a pandemic? As an older gamer, my bar for “this game feels like work now” is pretty low, and exacerbated by the stress of pandemic life and trying to raise a baby.
I want to use my brain, but I also kind of want to be a vegetable. Naw mean? This means Monster Hunter World is still a hard no, but I do have some recommendations for some feel-good, low-stress fun.
1. Old Arcade Games
I’ve always been a fan of these and a lot of them still hold up, especially the good stuff from the Neo Geo era. We can dive more into that in a later post, because it’s something worth exploring, but in general, the good Neo Geo stuff just has a…look. You know how Donkey Kong Country for the Super NES came out in 1994, but if you play it today, it still looks pretty good? SNK and associated developers employed a lot of talented artists. Check out NMK’s ridiculous Zed Blade, also from 1994:
Why does this work? Well, if you look at the 16-bit renaissance, the vast majority of these games aren’t actually using 16-bit assets, so if you’ve tried to play CrossCode (which is on Game Pass, but strangely only for PC), it looks like an SNES game, but…spiffier. A lot of this newer stuff looks like it could’ve originally come out on the Neo Geo.
2. Gears: Tactics
I’ve never been able to get into XCOM, the game/work barrier was always just high enough that despite a few attempts, I bounced off. Gears: Tactics has simplified a few things, complex…ified…a few things, but has turned up the fun factor and made a very Gears feeling game in the process. At the same time, due to the turn-based nature of tactics games, it scratched a nostalgic itch. When I was younger, my dad used to paint miniature pieces and we’d play the games in his basement with dice and a ruler. His setups were pretty elaborate, like something you’d see at MIT’s tech model railroad club back in the heyday, with terrain, mountains, obstacles, etc. If you’re familiar with this kind of thing, you already know how to play a tactics game.
Anyway, Microsoft had to pull off making a tactics game that employed the Lancer chainsaw, and boy howdy!
My experience with Tactics is that it hasn’t been all that difficult, but I did just wrap the first boss, and the fight got pretty tense; I didn’t lose any heroes, but skated just barely by to finish him off on the first go. The boss fights are asynchronous, so your team of 4 characters against a single, very powerful foe. I actually had to turn off reruns of Miami Vice for that one. (One complaint, the “across the bridge” fight leading up to the first boss goes on a little too long.) The enemy variety has picked up after the first boss and it’s an excellent game to unwind, along with a glass of your adult beverage of choice. Gears: Tactics is PC-only (for now), and doesn’t seem too demanding, my new hardware runs it buttery smooth on Ultra Settings.
3. American Truck Simulator
I have played many an hour of ATS while listening to Marty Robbins, the Giant Bombcast, or Dan Carlin. don’t have a crazy setup for ATS, and am happy with using an Xbox One controller. Even if this is not typically your bag, if your car has been sitting in the driveway and you need to hit the road, give ATS a shot.
4. Just Cause 3
Just Cause 3 got a bad rap, its launch marred by a litany of serious performance problems on consoles. Square Enix has done a pretty good job patching a lot of that out for console, and I was able to get a copy of it from Square Enix’s “here are 54 games you probably won’t play, but it’s for charity” sale earlier in the month. I still get some hitching on PC, but for the most part, it runs great, and runs very well on my PS4.
If you’re not familiar with JC3, the premise is this: you play as a Latino Arnold Schwarzenegger, and the game is basically 1985’s Commando. Rooty tooty, boom n’shooty as you try to cause as much destruction as possible to overthrow a corrupt government.
Also, you get a mech, because why the hell not?
5. Ori and the Will of the Wisps
It demands your attention, so Crockett and Tubbs will have to wait while playing Ori and the Will of the Wisps, but it deserves to be on this list. When you’re stuck inside all day, Ori gives you a sense that you actually explored something and saw something new. It has a beautiful, outdoorsy art style, moving soundtrack, and relaxing vibe. Wisps, especially compared to its more straightforward predecessor, takes a few pages out of Hollow Knight‘s book, but in general is a lot more forgiving with extremely generous checkpoints and no punishment for failure.
I am playing Wisps on an Xbox One X on a 4K monitor with HDR, which my laptop doesn’t have. In my opinion, HDR goes farther in a game than it does in a movie, and if you have access to the same setup, Wisps is a benchmark for why HDR in games is worth the investment.
Honorable Mention 1: Legends of Runeterra
LoR is a mobile DTCG (digital trading card game, I just made that up) in the same vein as Magic: The Gathering that introduces some new elements to freshen things up. I’ve enjoyed playing a round here and there, but as a mobile game I haven’t dove in too much.
Honorable Mention 2: Call of Duty: Modern Warfare
By hours played, I’ve put more time into CoDMW than any other game in the last 6 months. I’m decent at the multiplayer, and finally finished the campaign and enjoyed it. At a 7-ish hour length, I realized how so many “open worlds” are full of filler content that really isn’t all that good. Still, it’s heavy stuff, and it took me a while to get into the campaign. The torture scene could have been left out. MW’s multiplayer/online community is surprisingly tame, and I much prefer the lower-stakes plunder mode than the more traditional battle royal mode in WarZone.
More to come, but that’s what’s been keeping my free time occupied in the last few weeks. If you have a further suggestion, please do leave a comment below.
After multiple weeks of being in varying states of anxiety and dread over the new house, which seems to be a common condition amongst new homeowners, it finally hit me as I looked out upon our front yard: we are just going to have a crappy yard for a while, and that’s OK.
"I’ll just rent a core aerator, then do the whole lawn, then fill in all of the weird puddle spots with dirt, then I’ll get a seed spreader, then I’ll get a reel mower, then I’ll put some fertilizer down, then, then, then, then." Then what, my yard will look like Pebble Beach at the Masters? No. I’m not even a golf guy, best I can do is double digits at Topgolf. I’ve been keeping it mowed and put fresh mulch down around the trees; I’ve already left the better part of a dozen lawn bags at the curb, and I just found an encroaching patch of poison ivy, which apparently grows everywhere in NoVA. Luckily, this isn’t my yard in the picture, but I did find this patch growing in the neighborhood.
Aside from the PI, it’s probably time to take the "don’t do it all at once" advice seriously. Things are stressful enough as it is; maybe this is the attitude to take toward COVID. When you’re already under a lot of pressure, it’s easy to succumb to "whataboutism." Whataboutism is bad at work, because you end up "talking" more than "doing." It’s also bad because it leads to a lot of negative self-talk. I started getting stuck in this weird loop of feelings, where I would feel a certain way, but then end up comparing my feelings to someone else in a worse situation, and then I would feel worse for that comparison. Ex:
I’m under a lot of pressure because my wife is trying to work, I’m trying to work, and we have a baby.
But what about the people who lost their jobs? Their situation sucks even more than mine.
What about the people who lost their jobs and have kids? Their situation is even more sucky.
Man, I feel like an asshole now for thinking that this sucks!
What do you do about this? In a mindful moment, I can say, this is how I feel, how does this feeling serve me (or not), but invariably, this leads to more negativity about the situation of other people. But I’m trying to be mindful! Argh! This is just more "talking" and less "doing," right? Is all hope lost? Certainly not, the curve is well flattened and people have shown an impressive respect for social distancing; the road is long, sure. Now that we know that, let’s, as Jim Collins puts it, "confront the brutal facts."
Here are the brutal facts: almost everyone’s situation is shitty right now, and will be for a while.
I can be mindful in a conversation about COVID while also asserting my own feelings, and I shouldn’t have to stress out about that. I don’t need to qualify "my situation is rough" with "and yours is worse." I can let them tell me how they feel from their perspective and be an active listener. I can support local businesses and restaurants. I can take time for myself to reflect. We feel how we feel, and have little control over it. The journalist Robert Wright describes this phenomenon in Why Buddhism is True as the "not self." Perspective, like people’s COVID situations, is unique. Once I start to consider my own brutal facts, my own perspective, a lot of that negative self-talk seems to fade away. Stressful? Yes. Manageable? Yes. We are all doing our best.
And for myself (or not self) – what about just doing what I can (outlined above), forgetting the small shit, spending time with my son, and having a crappy yard for a while? That can be the beginning and the end of the what-abouting. Can I cure my yard rightnowtoday? No. COVID? Absolutely not. In fact, I probably have a better shot at curing COVID than my yard. Local takeout? Yes. Off to Chick-Fil-A.
