Vote with your money

@flowidealism What makes math so important that every kid has to do this every day in your opinion? Even kids who have no aptitude and or interest for it at all and have major skills in other areas (think very high in empathy for example)?

I’m all in on helping students to develop the discipline to work on math everyday year round. The more math they cover the better. But reading can be fun, and most voracious readers learn to write easily. Most of school for most students is a tedious wasteland. Homeschool your kids, support them in a daily math habit, then get them to read widely and later write widely after having continuous conversations with them about what they are reading and thinking about. Expose them to a wide range of interesting content and support them in taking the initiative to create and build things they care about.

@fcummins I've read the intro but on the outset this doesn't make sense to me. Chess is literally solved purely based on computation. You can 'think through making' all you want but it will not get you anywhere vs people/computers who do. The game simply is too closed for it.

Great piece on Chess considered in the style of Ingold, as craft rather than intellect. Makes use of Gibson and Bergson and John Cage and more. Brigante, G. G., & Woods, C. T. (2024). On making one’s way through chess. Sport, Education and Society, 1–14. doi.org/10.1080/135733…

@ShaunTobikosan @GuruAnaerobic What does this even mean? Sit or sprint and do nothing in between? Only 1RM vs AMRAP with the lowest resistance? Only full ROM or no ROM? Kids/youth do a lot of things in moderation. I'm all for experimentation, but come on man.. Make it make sense.

@GuruAnaerobic Polarize everything (you will find it playful and interesting and it will mimic youth when we were all the healthiest) Speed, reps, rest, angles, ranges of motion, which half of the brain you use(!)

High Rep - Low Rep. I realised that I've unconsciously changed my gym training to high reps & low reps, mirroring my 1-mile - 100m running training. 100 squats; 40-50 dips, 160 neck (all one set); 3-4 rack pulls, 2-4 chins, 3-4 shrugs, 4-6 dips, 4 barbell curls (mostly myo-sets), 5 one-arm rows... This has made my training more interesting, and feels I am mining a broad range of qualities. I have ZERO idea if this is ideal resistance training and whether it supports my running goals in the best way, but I feel TREMENDOUS doing it. 40+ yrs gym training and I'm still can't say scientifically if what I'm doing is right, so I just go by feel.

I generally agree with this except that learning can be and usually is a lot of fun.

For this morning's 🧵I want to walk you through why threat actor (TA) groups like LockBit are able to get into large organizations like Fortune 500 companies and government entities seemingly easily. There's a lot of moving parts here, but I'll try to make it plain for everyone to understand. First, you have to understand a bit about risk and liability, and how orgs go about making it appear as though they're doing the right thing. And to understand that, you have to understand the culture and mindset. It all stems from a simple fact: Doing security well is hard. It's not sexy, it's time-consuming, and it requires everyone to be doing the right thing all the time, both inside and outside the group responsible for security. Once you acknowledge this basic tenet, there are a couple of ways you can go: You can actually do the hard thing. You can realize that no one's going to do everything right all the time and plan accordingly, building robust, resilient solutions that enable business. Or, you can take the easy way out. My long-time readers will know I tend to be rather cynical and think I'm about to say most orgs choose to take the easy way out. Nope! Most orgs think they're actually doing #2: building robust, resilient solutions that enable the business. But really, they killed that a long time ago, and instead they just prance around in its desiccated skin, giving the appearance of having done so. Orgs will do things like "due diligence", which is a fancy word meaning, "the industry has come to a de facto level of bare minimum work necessary to avoid being held legally liable should something happen". This includes things like implementing "industry best practices", and "best-in-class" and "best-in-breed" solutions, and passing regular security audits. What this results in is a whole lot of orgs who buy the same equipment, configure, deploy, and maintain it the same way, and who have to answer more or less the same questions as everyone else come audit time. I won't dive into just how much of a sham and scam security audits are, but suffice to say that they're the quintessential exemplar of a box-checking exercise, with no real measurable impact on actual security. So, you have all these orgs buying all the same software, equipment, and services as everyone else, because everyone else is doing it. You have them all deploying and configuring them the same way, because that's how everyone else is doing it. [quick side story: I once worked at a company that had to pass several hundred audits yearly. They were in a highly-regulated industry. Among the multiple security audits they had to pass, every single one of them required data to be encrypted at rest. What this means is that stored data should be encrypted. How this got interpreted by both the employees who should have known better, and the auditors, who definitely should have known better, is: "Oh, you have your database stored on a Bitlocker-encrypted volume. You're good." Everyone who knows anything is now shaking their heads, because they know that this is explicitly NOT what the control requires. The database is UNENCRYPTED as soon as the volume is accessed, and remains that way. It's only encrypted if the drive is physically removed from the device it's in. But, I digress.] So, what does this monoculture of software, service, and equipment mean? It means that when a TA group goes and spends large amounts of money for a zero-day in a solution used by one government agency or Fortune 500, chances are it's going to work on a whole ton of the rest of them. Cases in point: SolarWinds and MoveIT, to name two fairly recent massive breach vectors. And that's what these TA groups do: since they have hundreds of millions of dollars or more to burn, they spend it on recruiting top talent, and on buying capabilities from other criminals. This talent and these criminals have the luxury of spending months or years studying in minute detail every aspect of a particular solution. Every patch, every decompiled line of code. Sometimes, they'll just bribe an insider at the company that provides the software, service, or product (see the perennial security issues that T-Mobile has for a good example of insider threat used in this way). Once they have a weaponized exploit they can leverage, they either hit specific pre-chosen targets, or they scan the entire internet, exploiting every vulnerable instance of the solution they come across. They'll even go so far sometimes as to actually fix the vulnerability after they've gained a foothold in the organization, so other TA groups can't come along behind them, exploit it, and kick them out. For ransomware groups, they will sometimes spend days, weeks, even months inside the organizations they've exploited, looking around, figuring out what's worth taking, how everything's laid out. Only when they are satisfied that they've seen all there is to see and gotten all the value out of their access they can, including exfiltrating all the data they want, will they deploy the ransomware which locks up all the computers and demand money from the victims in order to unlock them. "But this is simple! Just restore from backups!" you say. Many companies don't keep most of those systems backed up. or the backups are too old. Or, the ransomware either destroys or encrypts the backups, too. This, by the way, is a strong argument for making daily backups and keeping them offline, as well as routinely practicing restoring your systems from backups, to ensure minimal downtime and maximum business continuity. Many companies also use cloud services and third parties that are either given sensitive data, or granted some level of access into the organization. TA groups will go after these third parties instead of the primary targets, as they are often even more insecure than the targets themselves, making the data or access easier to get. In some cases, these third parties have the "keys to the kingdom", so to speak, in that they manage the critical infrastructure for the company. SaaS (Security as a Service) companies are like that; they manage all the security solutions for multiple companies. And yes, these SaaS vendors have been hit by TA groups in the past and, yes, it was a nightmare for their customers. The TA groups, once they've deployed the ransomware, will usually threaten to publicly release the data they've stolen unless the ransom is paid. The TA groups have great customer service and tech support. Better than most of their victims, in fact, and will helpfully walk the victims through how to go about verifying that the TA group has, in fact, stolen their data, how to purchase the cryptocurrency they want to be paid in, how to transfer it to them, and how to apply the decryption keys their ransom money paid for to unlock their systems. You'd think the answer here is to simply not pay, and this would stop. You'd be wrong. In fact, an entire industry has sprung up around ransomware insurance -- companies that sell insurance against ransomware attacks. On the surface, this sounds well and good. In reality, companies pay these insurers, and when the companies are attacked, the insurers merely negotiate with the TA groups and pay them off. They're essentially middle-men for the criminals, ensuring they get paid. And this is an accepted industry practice. The sad fact of the matter is that systems have grown so complex, and humans are so fallible, that there is no such thing as "secure". Only "risk minimization". And, even then, the risk minimization that occurs is a ruse, designed to placate auditors and regulators, not to actually minimize risk. But, as long as everyone plays the game, makes all the right noises and dance moves, no one's peepee gets whacked too hard when the inevitable occurs, unless it's overly-embarrassing and the PR can't be spun well. Cf., the credit bureau who got hacked, and it turned out their CISO (Chief Information Security Officer) had a degree in music, and no actual security background. This is the world we live in. This is the world you trust your finances to, your health to, your very lives to. It's as fragile as tissue paper in a hailstorm. But, as long as everyone squeezes their eyes tight and shoves their fingers in their ears, we can all have the latest shiny, blinky, beepy gadgets to "make our lives better and easier". You should not be shocked that the Fed got popped. You should be shocked it took this long.

I can't use Apple Pay I can't us PayPal I can't use Stripe I can't use Wise Because I'm in #Cuba 🇨🇺 I CAN USE #Bitcoin

@HillierGerard @bennypahl Tag never disappoints.

@bennypahl Oh wow 😮 I’ve never heard of that rule being a thing, what a bummer for the kids. As much as I dislike layup lines, even they’d suck with only 1 ball 😂 Let me see what I can come up with (outside of 4v4 or 5v5 etc), be back in touch shortly 👍

Pregame Warmup - Chaos 1v1 Play Without doubt one of the most under-utilised portions of time we have with our teams, being the pregame on-court warmup, which for most junior teams in Australia is about 3-5mins (for most games). Here’s an alternative to the traditional, and highly useless, lay up line drill that 90% of junior teams roll out pregame. #LiveLearnTeach

@PerBylund I'd pay a premium for my packages being delivered by anything but a human.

Getting your mail and packages hand-delivered by a human being is a luxury service you will soon need to pay extra for.

@GuruAnaerobic I rarely feel a difference from supplements.. Whey protein combined with strength training does wonders though.

I did this, it made no difference. Try things out for yourself but be wary of accounts which claim a supplement has magical properties.

@pntrack @Tony_Villani_ Can I watch this somewhere ?

This guy (⁦@Tony_Villani_⁩) is amazing.

@RewiretheWest This trailer is really well done.

@allenf32 I didn't read it, but this seems tricky for the simple reason that everything is off the tables when bitcoin does a 5x'es.

I'm beginning to suspect that none of you actually read the short report 🤔 kerrisdalecap.com/wp-content/upl…

@WhalePanda Paper bitcoin anyone?

Good morning, Yesterday we say another $488.1 million of inflows. Fidelity did $220.6 million, Blackrock did $155.1 million and Ark did $71.4 million. Price barely moved and it's still at $71.2k which means that there is a really big seller in this range just under the previous ATH. Could be a trade to take advantage of the premium where they buy ETFs and sell/short derivatives to cash in on the premium. source: @FarsideUK

@nvk Nah it's the same voice, maybe a different mic?

@nvk I'm curious now, last time I heard him speak (quite a lot) was like 3/4 yr ago. Where is he talking now?

Holy shit his voice changed! New spook.

@denverrefugee @CoachWheel Kyrie comes to mind.

@CoachWheel Yep... fast guys who only use it when necessary are hard to guard!!

When you watch an athlete who’s really smooth, they are trying to score or make a play with the least amount of energy possible. This is the opposite of the speeches that famous college coaches give at youth camps which is all about going 100% every minute they’re out there.

@ZacGoodman_ @tjthompson I have a hard time figuring out what this means. So this is different from simply jumping as high as you can for x reps I guess?

@tjthompson Load that elicits optimal velocity.

Speed can be DEVELOPED… here’s how ⬇️ 1. Improve Squat/Deadlift to Bodyweight Strength ratio. 2. Jump Maximally with correct loads 3. Sprint Maximally If you do these three things, your speed will drastically improve! 🙌🏻📈

@_ToddBeane Bitcoin lives in context and complexity. This is not to be taken lightly and understanding this deeply can change your life.

@_ToddBeane x.com/unexploredtrut…

@_benkaufman That is smart as hell. Love it.

Canary wallets is a really cool new feature to help increase your chances of early detection if a key in your multisig gets compromised. It’s a small wallet for each of your signers so that in case a hacker compromises one of your keys, they’ll think they just found a normal single-sig wallet, baiting them to steal it so you can detect it was compromised and remove it from the multisig setup.