rm [-r] lininger
@0xdaeda1a.bsky.social
Distinguished Risk Pokemon will be my final form. Cthulhu cultist, lawful good. Yay Seattle! Opinions belong to my autocorrect, not my employer. /her
Also [email protected]
Also [email protected]
There’s that.
Though I will say that working on strength endurance has done a lot to help me feel better about it. 100 reps is nothing to sneeze at.
Though I will say that working on strength endurance has done a lot to help me feel better about it. 100 reps is nothing to sneeze at.
December 2, 2025 at 2:40 PM
There’s that.
Though I will say that working on strength endurance has done a lot to help me feel better about it. 100 reps is nothing to sneeze at.
Though I will say that working on strength endurance has done a lot to help me feel better about it. 100 reps is nothing to sneeze at.
That is interesting, than you. I definitely agree that self awareness is the big benefit.
The heart rate article was v v similar and I bet the power one is too. They’re all ways of getting an external look at what you’re doing (it’s not quite objective, but it’s not purely subjective either).
The heart rate article was v v similar and I bet the power one is too. They’re all ways of getting an external look at what you’re doing (it’s not quite objective, but it’s not purely subjective either).
December 2, 2025 at 4:24 AM
That is interesting, than you. I definitely agree that self awareness is the big benefit.
The heart rate article was v v similar and I bet the power one is too. They’re all ways of getting an external look at what you’re doing (it’s not quite objective, but it’s not purely subjective either).
The heart rate article was v v similar and I bet the power one is too. They’re all ways of getting an external look at what you’re doing (it’s not quite objective, but it’s not purely subjective either).
*whispers* but I like ohp
December 2, 2025 at 4:21 AM
*whispers* but I like ohp
But. GitHub is Microsoft!
December 1, 2025 at 8:18 PM
But. GitHub is Microsoft!
Ok! Thank you for responding (and I’m glad I wasn’t mistaken in who you were, even if I was wrong about specifics). I wasn’t sure if you did more than 800-63B or not.
Changing risk definitions after two decades is weird.
Changing risk definitions after two decades is weird.
December 1, 2025 at 2:27 AM
Ok! Thank you for responding (and I’m glad I wasn’t mistaken in who you were, even if I was wrong about specifics). I wasn’t sure if you did more than 800-63B or not.
Changing risk definitions after two decades is weird.
Changing risk definitions after two decades is weird.
Ubiquiti dream 7 was on the shortlist!
November 30, 2025 at 9:21 PM
Ubiquiti dream 7 was on the shortlist!
Change building code so that all apartments have a patio or balcony.
November 30, 2025 at 8:20 PM
Change building code so that all apartments have a patio or balcony.
I’m very sure it’s not! I’m frustrated as hell, but I think it’s just siloing.
November 30, 2025 at 8:11 PM
I’m very sure it’s not! I’m frustrated as hell, but I think it’s just siloing.
Pretty close to zero.
This is deep pedantry. The ISO definition is defensible (I think it’s bad, not illegitimate lol), and it’s not unreasonable to standardize. NIST is huge, there’s a ton of documents, and siloing is inevitable.
But that’s a conflict between the AI stuff and everything else.
This is deep pedantry. The ISO definition is defensible (I think it’s bad, not illegitimate lol), and it’s not unreasonable to standardize. NIST is huge, there’s a ton of documents, and siloing is inevitable.
But that’s a conflict between the AI stuff and everything else.
November 30, 2025 at 8:11 PM
Pretty close to zero.
This is deep pedantry. The ISO definition is defensible (I think it’s bad, not illegitimate lol), and it’s not unreasonable to standardize. NIST is huge, there’s a ton of documents, and siloing is inevitable.
But that’s a conflict between the AI stuff and everything else.
This is deep pedantry. The ISO definition is defensible (I think it’s bad, not illegitimate lol), and it’s not unreasonable to standardize. NIST is huge, there’s a ton of documents, and siloing is inevitable.
But that’s a conflict between the AI stuff and everything else.
“Help help the hackers patched my system for me” is not a thing one should include in the risk register.
Actually the fact that there is no risk register I am aware of anywhere that includes happy accidents is pretty telling too.
Now I want the Bob Ross Risk Register template.
Actually the fact that there is no risk register I am aware of anywhere that includes happy accidents is pretty telling too.
Now I want the Bob Ross Risk Register template.
November 30, 2025 at 7:13 PM
“Help help the hackers patched my system for me” is not a thing one should include in the risk register.
Actually the fact that there is no risk register I am aware of anywhere that includes happy accidents is pretty telling too.
Now I want the Bob Ross Risk Register template.
Actually the fact that there is no risk register I am aware of anywhere that includes happy accidents is pretty telling too.
Now I want the Bob Ross Risk Register template.
That one’s ok. He’s not, iirc, positing unmitigatable good surprises.
I have no problem with the word “opportunity.” I just don’t think it is in any way helpful to treat it like harm.
I have no problem with the word “opportunity.” I just don’t think it is in any way helpful to treat it like harm.
November 30, 2025 at 7:10 PM
That one’s ok. He’s not, iirc, positing unmitigatable good surprises.
I have no problem with the word “opportunity.” I just don’t think it is in any way helpful to treat it like harm.
I have no problem with the word “opportunity.” I just don’t think it is in any way helpful to treat it like harm.
It has few practical effects.
But I believe, sincerely and with the purity of deep pedantry, that it fucks up your thinking.
That fucked up thinking is _why_ the dril quote is hilarious. (Source: Arthur Koestler’s Act of Creation on humor and bisociation.)
But I believe, sincerely and with the purity of deep pedantry, that it fucks up your thinking.
That fucked up thinking is _why_ the dril quote is hilarious. (Source: Arthur Koestler’s Act of Creation on humor and bisociation.)
November 30, 2025 at 6:33 PM
It has few practical effects.
But I believe, sincerely and with the purity of deep pedantry, that it fucks up your thinking.
That fucked up thinking is _why_ the dril quote is hilarious. (Source: Arthur Koestler’s Act of Creation on humor and bisociation.)
But I believe, sincerely and with the purity of deep pedantry, that it fucks up your thinking.
That fucked up thinking is _why_ the dril quote is hilarious. (Source: Arthur Koestler’s Act of Creation on humor and bisociation.)
Most people haven’t been deeply immersed in cybersecurity risk for over a decade. I’ve been bitching about this (“positive risk”) since 2012, and honestly most people don’t care! It’s just a question on the exam.
November 30, 2025 at 6:30 PM
Most people haven’t been deeply immersed in cybersecurity risk for over a decade. I’ve been bitching about this (“positive risk”) since 2012, and honestly most people don’t care! It’s just a question on the exam.
Wait — friend @jimfenton.bsky.social, are you NIST Jim Fenton or another Jim Fenton? Do you know if NIST is changing their definition of cybersecurity risk for everything or just the AI docs?
Whining in threads. I’ve spend weeks trying to figure these things out.
Whining in threads. I’ve spend weeks trying to figure these things out.
November 30, 2025 at 6:25 PM
Wait — friend @jimfenton.bsky.social, are you NIST Jim Fenton or another Jim Fenton? Do you know if NIST is changing their definition of cybersecurity risk for everything or just the AI docs?
Whining in threads. I’ve spend weeks trying to figure these things out.
Whining in threads. I’ve spend weeks trying to figure these things out.
The amount of writing that NIST has done on all this is voluminous and while I’ve read some things carefully, I haven’t read it all, and also some of the stuff I read carefully earlier didn’t stick because of all the things I’ve mentioned.
Now that I know to look for it, I’ll do that.
Now that I know to look for it, I’ll do that.
November 30, 2025 at 6:18 PM
The amount of writing that NIST has done on all this is voluminous and while I’ve read some things carefully, I haven’t read it all, and also some of the stuff I read carefully earlier didn’t stick because of all the things I’ve mentioned.
Now that I know to look for it, I’ll do that.
Now that I know to look for it, I’ll do that.
Fucked if I know!
November 30, 2025 at 6:17 PM
Fucked if I know!
Hey @langsec.hacker.gf we were talking about this. It got worse!
I wouldn’t mind so much except it was a silent change. They didn’t say “btw the Risk Management Framework is redefining risk hth.”
I wouldn’t mind so much except it was a silent change. They didn’t say “btw the Risk Management Framework is redefining risk hth.”
November 30, 2025 at 5:45 PM
Hey @langsec.hacker.gf we were talking about this. It got worse!
I wouldn’t mind so much except it was a silent change. They didn’t say “btw the Risk Management Framework is redefining risk hth.”
I wouldn’t mind so much except it was a silent change. They didn’t say “btw the Risk Management Framework is redefining risk hth.”
The cybersecurity risk of not properly storing passwords is that we can ship faster and make a lot of money.
The cybersecurity risk of an RCE is that a benevolent hacker might patch our routers for us.
“Positive risk” in cybersecurity is not a thing. The ENTIRE FIELD is oriented against it.
The cybersecurity risk of an RCE is that a benevolent hacker might patch our routers for us.
“Positive risk” in cybersecurity is not a thing. The ENTIRE FIELD is oriented against it.
November 30, 2025 at 5:40 PM
The cybersecurity risk of not properly storing passwords is that we can ship faster and make a lot of money.
The cybersecurity risk of an RCE is that a benevolent hacker might patch our routers for us.
“Positive risk” in cybersecurity is not a thing. The ENTIRE FIELD is oriented against it.
The cybersecurity risk of an RCE is that a benevolent hacker might patch our routers for us.
“Positive risk” in cybersecurity is not a thing. The ENTIRE FIELD is oriented against it.
At least, ISO’s definition is bad for cybersecurity. It doesn’t seem helpful for other domains, but I’m not in them so I will defer to those experts.
The cybersecurity domain is entirely framed around preventing harm. Trying to talk about positive risk of cybersecurity problems is nonsense.
The cybersecurity domain is entirely framed around preventing harm. Trying to talk about positive risk of cybersecurity problems is nonsense.
November 30, 2025 at 5:27 PM
At least, ISO’s definition is bad for cybersecurity. It doesn’t seem helpful for other domains, but I’m not in them so I will defer to those experts.
The cybersecurity domain is entirely framed around preventing harm. Trying to talk about positive risk of cybersecurity problems is nonsense.
The cybersecurity domain is entirely framed around preventing harm. Trying to talk about positive risk of cybersecurity problems is nonsense.
The regular NIST RMF 800-37 defines risk in terms of threat, adverse impact, and harm. The AI RMF defines it in terms of pure uncertainty, positive or negative.
To be fair, the latter has been in ISO since 2009. Conforming with ISO is not completely unreasonable.
Except ISO’s definition is bad.
To be fair, the latter has been in ISO since 2009. Conforming with ISO is not completely unreasonable.
Except ISO’s definition is bad.
November 30, 2025 at 5:24 PM
The regular NIST RMF 800-37 defines risk in terms of threat, adverse impact, and harm. The AI RMF defines it in terms of pure uncertainty, positive or negative.
To be fair, the latter has been in ISO since 2009. Conforming with ISO is not completely unreasonable.
Except ISO’s definition is bad.
To be fair, the latter has been in ISO since 2009. Conforming with ISO is not completely unreasonable.
Except ISO’s definition is bad.