typicalrunt.meBloghttp://typicalrunt.me/2024-01-01T06:59:59+00:00Scott Brown2023 Playlist/2023/12/31/2023-playlist/2024-01-01T06:59:59+00:002024-01-01T06:59:59+00:00Scott Brown<p>These are the songs I was listening to this year.</p>
<ol>
<li>Is There Someone Else? – The Weeknd</li>
<li>Shoop — Salt 'n' Peppa</li>
<li>Every Little Step – Bobby Brown</li>
<li>The Lovecats – The Cure</li>
<li>The Promise – When in Rome</li>
<li>Wobble – Crankdat, Tisoki</li>
<li>2 Be Loved (Am I Ready) – Lizzo</li>
<li>Sweet Dreams – La Bouche</li>
<li>Die for You - Remix – The Weeknd, Ariana Grande</li>
<li>Calm Down (with Selena Gomez) – Rema, Selana Gomez</li>
<li>A Real Hero – College, Electric Youth</li>
<li>Anti-Hero – Taylor Swift</li>
<li>BOOM - Tiesto, Sevenn, Gucci Mane</li>
<li>Save Your Tears (Remix) – The Weeknd, Ariana Grande</li>
<li>Flowers – Miley Cyrus</li>
<li>I Don't Mind – The Age of Electric</li>
<li>Ugly – The Age of Electric</li>
<li>Don't Be Shy – Tiesto, KAROL G</li>
<li>Uncomfortable – Effin</li>
<li>Someone Else – Rezz, Grabbitz</li>
<li>Overnight – Parcels</li>
<li>Destination Calabria (Radio Edit) – Alex Gaudino, Crystal Waters</li>
<li>I Like To Move It – Reel 2 Real, The Mad Stuntman, Erick Morillo</li>
<li>Unholy (ACRAZE remix) – Sam Smith, Kim Petras, ACRAZE</li>
<li>Tieduprightnow – Parcels</li>
<li>Hypnocurrency – Rezz, deadmau5</li>
<li>Cupid – FIFTY FIFTY</li>
<li>Players – Col Leray</li>
<li>I Like You (A Happier Song) – Post Malone, Doja Cat</li>
<li>Connected – Stereo MCs</li>
<li>Never Let You Go – Third Eye Blind</li>
<li>All Nighter – Tiesto</li>
<li>Deep Down – Alok, Ella Eyre, Kenny Dope, Never Dull</li>
<li>I'll Be – Foxy Brown, JAY-Z</li>
<li>Make Some Noise – Beastie Boys</li>
<li>Everywhere – Fleetwood Mac</li>
<li>Houdini – Dua Lipa</li>
<li>Circles – Post Malone</li>
<li>34+35 – Ariana Grande</li>
</ol>
<p>And that's it for 2023! See you next year!</p>
The Coke and Chips Problem/2023/11/08/the-coke-and-chips-problem/2023-11-09T05:04:00+00:002023-11-09T05:04:00+00:00Scott Brown<p>An overweight man comes into the doctor's office. He says to the doctor, "hey, I'm looking to get in shape, lose weight, and get healthy. But I don't know what to do. What is your advice on what I should do?"</p>
<p>The doctor replies, "that a great ideal. well we can certainly do a checkup and make sure there are no biological or genetic issues that will hinder your goals. But for starters, my advice is to get more exercise and eat right. So, what are you eating right now?"</p>
<p>The patient replies, "Coke and Chips."</p>
<p>The doctor, not missing a beat, "okay, so there's the first improvement you can make. Start eating healthy food."</p>
<p>The patient responds, "sure… but is there a way to make the healthy food taste like coke and chips?"</p>
<hr />
<p>The moral of the story is that with any change, especially in the InfoSec space, people will often come to you knowing that something is wrong and need your help to fix it. However, they don't actually want to change the things they are doing that got themselves into that state.</p>
<p>They want change without changing.</p>
Accessing the UKG Pro API/2023/09/26/accessing-the-ukg-pro-api/2023-09-26T16:00:00+00:002023-09-26T16:00:00+00:00Scott Brown<p>I was helping out IT this week with an automation task they had: they want to sync the data in UKG (an HRIS platform) with the data in the IdP. The problem was, nobody's documentation was very good and left out important details, and Google was almost no help either. Hopefully someone else can stumble their way onto this page and get going quickly.</p>
<p><code>bash
curl -H 'Accept: application/json' -H US-CUSTOMER-API-KEY: xxx' -H 'Authorization: Basic base64(username:password)' https://hostname/personnel/v1/employment-details
</code></p>
<p>Ref: https://developer.ukg.com/hcm/reference</p>
Taking Things Personally/2023/04/05/taking-things-personally/2023-04-06T02:52:00+00:002023-04-06T02:52:00+00:00Scott Brown<p>One of the common patterns in my life is to surround myself with people with whom I allow to abuse me. And one of the popular refrains of these people is to tell me this phrase:</p>
<blockquote>
<p>You need to stop taking things so personally.</p>
</blockquote>
<p>And I find that phrase interesting because it is really difficult not to take things personally when they are targeting me with their abusive words. But, as I said, this is a common refrain of abusers in my life. In fact, most of the people that have mistreated me in various ways have also found a way to abdicate any responsibility for their actions by using this phrase to place the blame squarely on me.</p>
<p>And I took it.</p>
<p>I mean, why not. In my life, I was taught to listen to people who are, or are pretending to be, authority figures. And when an authority figure is "teaching" you a lesson, of course I'm going to listen. And when that person ends up getting frustrated, then hurting my feelings and I want to talk about that, that's when the popular phrase gets trotted out like a prized horse.</p>
<p><img src="/2023/04/05/taking-things-personally/taking-things-personally.png" alt="Taking Things Personally" /></p>
<p>A manager once told a group of us in a meeting, "What i don't like is bad mouthing, negativity, constant complaining". After days of self-reflection I explained to the manager how I felt about hearing that–I felt guilt, shame, sadness, fear–and asked for some examples of when I exhibited those traits. The answer was it was spoken generally and not indicative of anything that I, or anyone in that group, had done. I was then told that I should not take things so personally.</p>
<p>I'll explain the insidiousness of the phrase. On one hand, I am being told something that hurt me and then being told not to take it personally, and then I'm expected to internalize and take personally the advice not to take it personally. See the mind games? That's the manipulation. It puts me, and I suspect others, on uneven ground without even realizing it.</p>
<p>Being surrounded by these types of people is a common pattern because that's what I grew up with. So for me, this is what normal looks like. Abnormal is the sense of true empathy and caring from others toward me. For the latter, it just feels wrong or out of place. For the types of abuse that I grew up with, this abusive behaviour of others feels to me like this is the way things are supposed to feel. And there in lies the problem. I gravitate, like any person would, toward people that I feel comfortable with. But that comfort is not a true representation of comfort. Others, looking at my situation, often wonder why I put up with that kind of behaviour from others. And my answer to them is typically, "what did they do wrong?" Deep down, I do feel something is amiss, but I'm often unable to tell what it is because I have very few (when younger, none) reference points from which to draw. And that's why this is what normal looks like to me. Or, at least, it did.</p>
<p>I've spent the better part of a decade trying to be around people that I don't necessarily feel comfortable with. These people are caring people. Truly caring. It is not at all "normal" to me. I keep waiting for them to do something that will make me feel like a return to normalcy, but they keep denying me this by being… kind. Not necessarily nice, but they are always kind. And in being around these people, I'm give a new reference point for what normal is supposed to be. And when I speak about situations where I thought it was normal, they explain to me what normal really is, and help me validate that these situations are examples of abuse and/or mistreatment. But once they get me to see the situation through their eyes, they also help me understand that running away is not the correct course of action (at least, only in rare occasions). Instead, they get me to understand how I can follow-up on the situation, explain how it made me feel with the other person, try to assert myself and tear down the pedestal of authority upon which I placed them. The reason for doing those things is to see these people are fallible, but also give them a chance to hold them accountable for their actions. And if those people don't want to be accountable, well then it is time for me to sever the relationship and move on without the pain of regret–pain of grief perhaps, but not regret. I have also learned not to try and change the other person; you can't change people, you can only hold a mirror up to them and they can choose to change themselves.</p>
<p>When I was young and up until several years ago, I took that phrase and internalized it (i.e. I took it personally) but then felt weird and couldn't understand the emotions I felt. But now, my response has evolved where I get angry at hearing it, knowing right away that a violation has occurred. But I don't act on it, I process my emotions and then ask questions later. I no longer let it control me. I also think about how it says more about the people using the phrase than about me, and that's really difficult to do when I put them up on a pedestal of authority. Tearing down that pedestal helps me see them as equals and, yes, as people that have abusive behaviours.</p>
<p>Are there situations where that phrase could be seen as helpful advice? I'd like to present a balanced view, but I'm finding it difficult to do so given my history and usage of that phrase against me. But I would also be remiss in not being honest about my bias.</p>
<p>Even so, telling someone to stop doing something, especially when it is something that is happening inside their brain, is not helpful to yourself or the person you are telling it to. There is literally no way for a person to know if someone is taking it personally. Sometimes people just need to process information and then let it go, but that doesn't mean they having taken it personally. Being told to stop doing something is akin to being told that you are doing something wrong. It may come from the best of intentions, but it is also judgemental and controlling. At worst, and this is where it delves in my history, that phrase has been used as a tool for manipulation and control.</p>
<p>So where does that leave someone who wants to say the phrase but knows it won't help the situation? They can instead ask questions to the person. Ask them what's happening to them right now. Ask them how it made them feel when they heard it, or after they took time to process it. Ask them what it reminds them of. You can also not ask any questions at all. Just sit there and listen to the person, let them process information however they do it. Let them word vomit everything in their brain, just to get it out. Give them the space that they feel they've lost from whatever you, or someone else, has said.</p>
<hr />
<p>Image Credit: Dall-E with modifications by me</p>
Spreadsheets/2023/03/04/spreadsheets/2023-03-05T04:10:00+00:002023-03-05T04:10:00+00:00Scott Brown<p>I routinely come up with what I think are million dollar ideas. And I get euphoric about how successful it will be be, I'll make so much money, and people will be happy.</p>
<p>And then as the euphoria dies down, typically as I start designing it, I have some sober thoughts.</p>
<p>Would I use my own product? Maybe.</p>
<p>Would I pay for my product? Probably not.</p>
<p>And the reason why this is invariably boils down to the fact that most of my ideas are just a way of storing and managing ideas in a tabular format. As in, a spreadsheet.</p>
<p>Risk register? Sure, I could spend tens of thousands on a LogicGate subscription. But I could also create a spreadsheet and just keep track of it there.</p>
<p>Vulnerabilities? Same thing.</p>
<p>Roadmap planning? Yup, spreadsheets too.</p>
<p>Products like Jira have a purpose, and those purposes tend to show up really well when there is a team of people all working on the same thing. But even spreadsheets can live for a very long time just chugging along doing just enough to get the work done and nothing else. I get my data in tabular format. I get to sort it, filter it, pivot it. I get charts.</p>
<p>So perhaps my million dollar ideas are just too basic. Perhaps they really are just a CRUD wrapper over a database. That's still fine, but maybe there's more to a million dollar ideas than just "managing" data.</p>
<p>And that's where I think about what happens in my day job. There, I often get invited to demos from startups showing off their new product. And invariably what they've designed is a CRUD wrapper over a database. And as the demo progresses, what I really want to say to these founders is:</p>
<p><img src="/2023/03/04/spreadsheets/7cyy3w.jpg" alt="extra steps" /></p>
<p>And that's why nearly every single demo get rejected by me. What I'm looking for in these startups is what I need to be doing when I'm thinking about my million dollar idea.</p>
<p>The product needs to solve a problem. And that problem can't be solved by inputting the information into a spreadsheet.</p>
<p>For instance. If you, dear InfoSec startup founder, want me to purchase your centralized vulnerability SaaS product, it can't just collate all vulnerabilities into one app. I still need to triage everything. But if your app can do the triage for me or suggest a correct remediation for me, well then you have my attention.</p>
<p>The joke I've used with my colleagues is that these startup founders are akin to the door to door vacuum salesmen of yesteryear. They show up to your door, point to various places in your house and say, "Our product shows you where the dirt is." Well, yes, I know where the dirt is, it's my house. I need help cleaning up that dirt. And so often I get the founder equivalent of, "oh no, our product doesn't clean the dirt, it just manages the locations where the dirt is to help you keep track of it.". Cool. Next.</p>
<p><img src="/2023/03/04/spreadsheets/7d0mo3.jpg" alt="spreadsheets" /></p>
Static Websites/2023/02/26/static-websites/2023-02-26T18:27:00+00:002023-02-26T18:27:00+00:00Scott Brown<p>A person dear to me, who is new to the tech world, asked me a simple question: "What is a static website?" It was asked in response to me saaying that I have a static website–<a href="https://typicalrunt.me">this website</a> you are reading.</p>
<h1 id="tech-jargon-and-shibboleths">Tech Jargon and Shibboleths</h1>
<p>Once again it dawns on me how often jargon slips into normal conversation and acts like a shibboleth. It's hard to place one's self squarely back into the shoes of someone that has no frame of reference. If you want to get a feeling for what this is like, try to remember that at some point in your life, you would not have understood the words on this page. Even worse, you wouldn't even be learned enough determine what is a word and what is not. This is hard for you to remember because you don't–or barely–remember being illiterate. If you want a sense of that, go look at a book written in a completely different language. For example, if your first language is English, go look at a book in Hindi. I always find it fascinating, scary and humbling that I cannot tell what is a word, what is punctuation, or anything when I look at a completely different language; these new languages appear to me as tally marks as I'm certain English appears this way to a North American child.</p>
<p>Let's see what ChatGPT says about this.</p>
<h2 id="prompt">Prompt</h2>
<p>What does writing look like to someone that doesn't speak the language? For instance, an English speaking person who looks at Hindi for the first time. Or perhaps a 2 year old human who looks at English words in a book?</p>
<h2 id="response">Response</h2>
<blockquote>
<p>To someone who doesn't speak the language, writing in an unfamiliar script can appear as a series of abstract symbols or shapes that do not have any immediate meaning or context. It may look like an intricate pattern or design, similar to how we may perceive a piece of artwork.</p>
<p>For example, to an English speaker who is unfamiliar with the Hindi script, the written characters may appear as a series of complex curves, lines, and dots that do not immediately convey any recognizable meaning.</p>
<p>Similarly, to a two-year-old child who is just learning to recognize and understand written language, English words in a book may initially appear as a collection of arbitrary shapes and lines without any inherent meaning. However, with time and exposure to the language, the child will gradually begin to recognize the patterns and associations between written symbols and spoken sounds, eventually developing the ability to read and understand written language.</p>
</blockquote>
<p>That sounds about right.</p>
<h1 id="static-vs-dynamic-websites">Static vs Dynamic Websites</h1>
<p>Back to static websites.</p>
<p>A website can either be static or dynamic. What determines its dynamism is whether code is running to generate HTML that is then returned to the user. Often the main content changes based on something like a URL, HTTP header, and so forth. The way to make a website dynamic is by having the website code make a request to a database which holds the content. Going to the same URL will often lead to the same content, but the content is pulled from another source (e.g. database). In contrast, a static website is one where the main content does not change because it is not being requested from a database or any other source. The content is transformed into HTML files and uploaded to the web server. When someone browses your website, the web browser is reading the HTML files and… well, that's it. With dynamic websites, the website code is in a programming language like PHP, Python, Ruby, Java and that language outputs HTML when a user visits your dynamic website.</p>
<p>So, in effect, a static website has no code that is rendering it to HTML because it is already HTML.</p>
<h1 id="dynamic-website">Dynamic Website</h1>
<p>The following diagram illustrates the lifecycle of a single person visiting a dynamic website. It assumes that the content for the website is being pulled from a database. Regardless of whether this is true, the important part is that the majority of the time is taken up rendering the content to HTML (the "Code" column).</p>
<p>All the user's web browser cares about, or can even read, is HTML. So the entire purpose of the web server is to take a user's request and respond back with HTML<sup id="fnref:1" role="doc-noteref"><a href="#fn:1" class="footnote" rel="footnote">1</a></sup>. It is the code's job to determine if the request is legitimate, if it is able to pull the right data, and then render all of that to HTML. It will do this for every single HTTP request.</p>
<p><img src="/2023/02/26/static-websites/dynamic-website.png" alt="Dynamic Website Rendering to Browsers" /></p>
<h1 id="static-website">Static Website</h1>
<p>A static website, on the other hand, has a much more simple workflow. There are nearly no moving parts, as the website has already been rendered to HTML. The web browser makes the request, and the web server looks up the right file and returns its HTML content to the browser. That's it.</p>
<p><img src="/2023/02/26/static-websites/static-website.png" alt="Static Website Rendering to Browser" /></p>
<p>What's happening here is that the developer has optimized the HTML compilation step by pre-rendering all data into HTML, thereby removing the need to have code being run on every HTTP request. Since the web server was already seeded with HTML content, there is nothing for the web server to do other than return HTML to the browser.</p>
<p>That seeding process is what is known as "rendering" or "compilation".</p>
<h1 id="so-how-does-a-static-website-get-compiled">So how does a static website get compiled?</h1>
<p>A static website is often rendered during some compilation stage before deployment. The content itself can be stored anywhere, in a database or as text files on your hard drive, but the whole website can be compiled to HTML before it gets uploaded to a web server where other Internet users can visit it with their web browsers.</p>
<p><img src="/2023/02/26/static-websites/static-website-compilation.png" alt="Static Website Compilation" /></p>
<p>For this website, all of the blog content is stored as separate Markdown files. Those files are then rendered by (at the time of writing) <a href="https://middlemanapp.com/">Middleman</a> into a set of HTML files. If I didn't say which tool I used to render the website, there would be little to no way to tell. The rendering step can be done on my laptop, but I only use that for testing that the Markdown syntax is correct or to verify that UI changes look okay. Instead, I automated the compilation and upload step by creating a Github Actions workflow.</p>
<p>The Github automation watches for a merge to the <code>master</code> branch of the repository, then runs the Middleman render task to compile the website into HTML, then uploads the HTML files to the web server. The workflow, which takes an average of 53 seconds to complete, looks like this:</p>
<pre><code>---
on:
push:
branches:
- master
jobs:
build_and_deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: ruby/setup-ruby@v1
with:
ruby-version: '3.1.2'
bundler-cache: true
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: xxx
aws-secret-access-key: yyy
aws-region: us-east-1
- name: install dependencies
run: bundle install
- name: build the static website
run: make build
- name: upload the HTML files to S3
run: make deploy
</code></pre>
<h1 id="what-are-the-benefits-and-drawbacks-of-a-static-website">What are the benefits and drawbacks of a static website?</h1>
<p>Why isn't every website static? I have met a lot of people in the tech industry that don't realize their website could be static, or that the tooling exists to do this. What's funny about the situation is that static websites were how the Web was originally presented, back in the early 1990s. Then CGI came along and websites started to become more dynamic. The SaaS providers (like Wix, Squarespace, Unbounce) came along and allowed people to quickly create a website, not realizing that their mainly-static website is actually rendered as a dynamic website.</p>
<p>But with dynamic website, code is running. And code needs to be maintained and patched regularly. Code also has bugs in it, and those bugs could be exploited by attackers, which then could do things like dump or destroy the contents of the database that contains the website content (<a href="https://en.wikipedia.org/wiki/SQL_injection">SQL Injection</a>). Or perhaps to inject malicious payloads that are then rendered by the website code and displayed to visitors to a dynamic website (<a href="https://en.wikipedia.org/wiki/Cross-site_scripting">XSS</a>).</p>
<p>Static websites optimize the HTML rendering step, since the content rarely changes. Static websites are good for blog websites, marketing websites or anything where the content doesn't change often, if at all. But not all websites work like that. Some act like applications, or present themselves as storefronts, and they need dynamism. That's fine. But not every website needs to be dynamic, so each person needs to think about the purpose of the website to help them choose which solution gives them the most features with the least maintenance.</p>
<p>That said, dynamic websites where some parts rarely change can also be rendered in a static way. That is what the purpose of Content Delivery Networks (<a href="https://en.wikipedia.org/wiki/Content_delivery_network">CDNs</a>) are for. They protect (for lack of a better term) a website by sitting in front of it, listening to all the browser requests. Then the CDN will proxy the HTTP request to the dynamic website and, for certain URLs, it will save the rendered HTML content in its memory. When another browser request comes along with the same URL, it will serve the rendered HTML from memory instead of proxying the request back to the dynamic website. CDNs can help save processing time and money.</p>
<p>Static website also require little to no maintenance. This can keeps human costs down. But since the technology behind static websites is now 30 years old, displaying static websites is cheap and easy for computers to do. Thus, static website hosting, if done right, is free. The only cost would come from a massive influx of Web traffic but, even then, the cost is small compared to having to maintain the infrastructure and code on a heavily-used dynamic website.</p>
<h1 id="appendix">Appendix</h1>
<h2 id="code-for-sequence-diagrams">Code for Sequence Diagrams</h2>
<p>I often find that people don't realize it is easy to generate diagrams using code, instead of clicking around with a GUI. This section shows the <a href="https://plantuml.com/">PlantUML</a> code I used to create each diagram.</p>
<h3 id="dynamic-website-rendering-to-a-web-browser">Dynamic Website Rendering to a Web Browser</h3>
<p>Here's the PlantUML code I used to create the sequence diagram for the dynamic website.</p>
<pre><code>title Dynamic Website
participant "Web Browser" as B
participant "Web Server" as W
participant "Code" as C
participant "Database" as D
B->W: GET /blog/article
W->C: pass request to code
C->C: process request
C->D: get page content
D->C: << page text >>
C->C: gather page header, body, template
C->C: create html
C->W: << html >>
W->B: << html >>
</code></pre>
<h3 id="static-website-rendering-to-a-web-browser">Static Website Rendering to a Web Browser</h3>
<p>Here's the PlantUML code I used to create the sequence diagram for the static website.</p>
<pre><code>title Static Website
participant "Web Browser" as B
participant "Web Server" as W
B->W: GET /blog/article
W->B: << html >>
</code></pre>
<h3 id="static-website-compilation-step">Static Website Compilation Step</h3>
<pre><code>title Static Website Compilation
participant "Developer" as D
participant "Machine" as M
participant "Code" as C
participant "Web Server" as W
D->M: compile website
M->C: render
C->C: get website template
loop each page
C->C: render into html
end
C->C: save html into build directory
C->M: << success >>
M->W: upload html
W->M: << success >>
M->D: << success >>
</code></pre>
<h1 id="footnotes">Footnotes</h1>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:1" role="doc-endnote">
<p>I am vastly over-simplifying here. Web browsers will want HTML, plaintext content, images (png/jpg/gif) or JSON. But for the purposes of this discussion, let's pretend they are only interested in HTML content. <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>