I doesn't seem like catching up to me because catching up implies speed was increased to intercept, not distances were different followed by intercept.

If I fire a gun nearly perfectly straight up, run forward 10 feet and catch the bullet in my shoulder it wouldn't feel right to say that I fired, ran fast enough to catch up to my bullet and shot myself.

You fire a bullet and it accelerates downward at 9.8m/s2 until it gets to some terminal velocity. It moves forward at some velocity with a braking acceleration that's non-linear and gross. Result is a downward motion in a basically parabolic arc.
The plane, however, is accelerating downward faster than the bullet because of thrust, and also accelerating forward.
By the time drag has essentially stopped the bullet the plane is underneath it.

When phrased as "caught up" it makes it sound like the plane went as fast as the bullet, when the plane had a top speed of mach 1 and the bullet ~mach 3. They just took different paths.

You don't actually need to be ahead of them on the horizontal plane. The plane just needs to be able to cover the distance the bullet travels as it slows from drag before the bullet falls to the intercept point.

• nice
• so it didn't do much "outrun" the bullets, but moved under them as they fell? Still funny and impressive either way.
• "survived with a broken leg and multiple broken vertebrae" - okay, so maybe "funny" in a different way.

neither technology nor biology can do that right now

Yes, that was the point. If we focus purely on the math to the exclusion of reality you get results that don't apply to reality.

If you only look at thermodynamics when discussing weight loss you get the best possible weight loss advice: "eat less".
It happens to ignore the reality of biology, how the body reacts to changing nutrition, or how it reacts towards changing your desires when nutrition changes, but it is technically correct.

Just like it's technically correct to say that a sugar cube has enough energy to power your home for a long time. It may be a useless observation, but it's technically true.

Modern cars bend and flex during a crash, and they do it in such a way to keep occupants safer. Bench seats can't do that as well. They also don't work as well with modern air bags and seatbelts, and they often lack headrests.
Without a headrest a relatively low speed impact basically snaps your neck and whips your head into the dashboard.

You want your seat to basically hug you and lock you into place. There's a reason racecar seats look like they do.

Yeah, you're right. Passkeys, sso and password managers make it impossible to get any work done. It's much better to keep doing the same things that haven't been working for decades. Don't forget to make everyone rotate their password every month!

What's your simple due diligence to prevent phishing? You check the links you click, verify the URL you ended up at is what you expect, validate no unexpected unicode swaps in the domain, pop back to the email and check the sender is known and trusted, look at the headers and validate the routing chain, then double check the sender spf and dkim records are on the up and up? Oh, and make sure the actual content that you landed on is from the website and not a hijacked subdomain.

they have no reason not to trust them as a coworker doing their assigned job

That's the specific area where they don't. We're discussing a specific situation where the security team is taking it upon themselves as their job duty to trick you and get you in trouble. That makes people hesitate to share security concerns because "those guys are pricks and will make this all my fault".

Losing your job because ransomware

It's a hospital. They're already short on nurses and administration staff. Those people directly provide patient care or manage operations. Security does not. Securities job is to maintain security standards compliance and maybe keep patient data safe. It is not to exacerbate a staffing issue or let the network go down because you thought it was too much hassle to do your job and properly secure a fucking managed laptop. Security is, rightly, going to be blamed when a user gets the network infected. Particularly when your idea of training is to offer them PTO and then call them an idiot when they want it.
The person making the decision on who to blame is a lot more like that poor nurse than they are like security.

Nope. It's usually people, like in this thread, not understanding what "bad genes" means.

You're a thermodynamic machine, not magic. If you eat less then you burn you'll loose weight.
You are also an extremely complicated machine, with complex chemical processes that govern long and short term behaviors.
"You" are a little slice of protein and fat the size of an avocado glued to the front of a more complicated machine. "You" are responsible for solving problems. The rest of your brain and endocrine system is responsible for managing most desires as well as most other things.

Some people have genetics where they run a mile and their body says "oh shit, this would be easier if I turned the energy fountain up to full wouldn't it?" And now they're burning more energy when they're asleep than they were before.
Other people have genetics that gives them a body that says "oh my God, you just ran nearly 2 blocks. Clearly you're in danger, so I'm going to increase the hormones that tell you to eat a lot more food. Don't worry, the pizza will be gone before you actually feel how much food that is".

You can override the endocrine system, but it's hard. The frontal cortex can change what you do, but the endocrine can change what you want.

Your body is a machine, just like a car. And different cars will start to ding and nag the driver for fuel or maintenance tasks at different points, with different levels of intensity. If your car is built for the Australian outback it might be way more aggressive about fuel warnings, and have a significantly larger tank.

All that's why excercise is a terrible way to lose weight. You lose weight by getting your eating under control and convincing the medieval peasant in your endocrine system that you're not in a famine. Excercise makes your body feel better, more capable, and healthier.
You can excercise all you want, but you can eat your way through any excercise routine in minutes.
A peanut butter and jelly sandwich is more than an hour of vigorous time on a rowing machine.

My entire point is that none of that is actually new information. Every piece of research by anyone has always indicated that the human element is the weakest part of the security system. If you're asking if you can trust a user to reliably do something, you can safely say "no" and make contingencies for when they don't.
If they have technical solutions available, they didn't need to run a drill to know that they should use them.

It's not about being "liked". It's about effectively enforcing a security posture. An adversarial relationship does more to undermine that then providing guidance on how to do it better.
They have no obligation at all to "run scenarios" where they could just implement the fix to the problem.

They exposed a fatal vulnerability in the same way stabbing someone exposed a problem: it's been demonstrated, but it's not new information.
This type of excercise is about producing numbers that look good on a spreadsheet. You do a phishing drill, people fail and then you run a training. A few weeks later you do it again and since people still have the previous drill lingering they remember, and you send a softball phish. Line go up and to the right. Looks good in report.

Nope, there's just even more energy in a lump of coal.
I believe their point is that it's a bit silly to sit around focusing too much in thermodynamics beyond the raw limits, when there's a lot of factors that weigh in to how much of the theoretical maximum is available or used. Beyond just the basic chemistry involved, there's hormones that influence how it's used, and peoples urges to consume.

People always underestimate the endocrine system. Your frontal cortex and everything that you are is basically just a tool for your endocrine system to use to get food and sex.
It's why eating less is so hard for some people. If the endocrine system is being pushy, it can just make you not care about your goal, and not many people can do something uncomfortable that they don't want to do in furtherance of a goal they don't care about.

Healthy, stable eating habits need to come before weight loss eating habits, and that needs to be paired with light excercise as you build up.
Like taming a wild animal. Some people just have a capybara, and others have some sort of ocelot that's addicted to meth. Most people have dogs. Gotta ease in, but once you get started it's fine as long as you don't traumatize the poor beastie.

Sure, but that's ignoring the cost of "now your users don't trust the security team".

For most things like phishing there's only so much training you can put on a user. Humans are pretty okay at understanding the costs associated with their time in an implicit manner. Users will check well enough to meet their internal cost metric: the cost to them if they get phished isn't high, and the likelihood is low. That's why it's such a problem in workplaces.
The solution isn't to keep beating the user over the head. First, it can undermine other important parts of the relationship between users and security as I mentioned, and it can , if done in the extreme, normalize phishing emails. The real Phish comes in and sits unreported next to the fake ones. Security never gets to run a scan and remove the message from every mailbox, increasing the exposure.

The better approach is to prevent users from being in control of their own vulnerability. Don't let them enter their credentials into the nono box.

That's not new information though. All they've done is teach users that their security team is more of an enemy than a friend.

Seriously: what action are they going to take as a result of this that they shouldn't have already been doing? They could just as easily have assumed, entirely correctly, that users will fall for phishing messages. Don't need an excercise, to say nothing of a mean one, to learn that.

Yup. Good habits come first. Every 12 pack of pop is roughly a marathon, give or take.
The simple act of cutting pop for water saves a massive amount of calories, but can be really hard if you're not used to liquid not being strongly flavored.

Excercise, beyond being a bit self fulfilling ("I want to be in shape so it sucks less when I excercise"), does also increase your baseline metabolic rate once you get in the groove. Once you start moving your body becomes more free with burning energy when you're just sitting around, and you'll passively burn 3-6 cans of pop more than you would before.

But 100% to your main point. If you don't have your diet under control it doesn't matter how much you excercise, the medieval peasant that lives in your endocrine system will make it very hard to resist putting the calories right back in.

Nope. The intent of electronic voting is to make tabulation faster and more accurate, and to make it easier for people to vote the way they intend without marking errors causing problems. A machine can much more easily increase font size, for example, or increase contrast. It can support a different way of marking for people who have difficulty with the standard.

None of that is incompatible with a physical artifact being produced like a paper ballot does.

That's how my area does it. The electronic machine actually fills out the same paper ballot that you would fill out by hand, but it can mark perfectly and make it easier to read and operate. The machine has no way of knowing who's voting, or making a change that isn't immediately evident. I think the biggest scandal they've had is once, during calibration, one of the machines indicated that the vote for township board of supervisors was to be cast for "the empty space between the list of candidates and the description of the item being voted on".

There are other proposals that would allow people to vote by phone which is solving a problem no one really has, and there are yet others that provides a digital code that allows the voter to verify that their vote was counted and factored into the final tally as they cast it. That one is interesting, but also not in conflict with a paper trail.

Testosterone is literally a steroid. It's sort of a reductive statement but you don't really think about it often.
It basically acts as a multiplier for the "grow muscle" signals your body can produce.
Men and women can easily have the same outcomes for muscle mass and calorie requirements, but men might not have to work as hard to get there owing to the higher testosterone multiplier on average.

I've also heard that it makes your skin act weird. Several trans people I've talked to have all mentioned that getting their hormones managed made their skin care routine either way easier or harder in a sort of "holy shit" way.

100%! I meant my statement as building on yours, not contradicting. :)

Any time you talk about hormones you have to couch everything in a thick layer of "usually", "often", and "tend". Biology varies a lot, and hormones vary more than most of the stuff.

Sure, but here's the critical thing: the security team isn't a threat actor, they're coworkers. Their job isn't to steal data but to protect it and get coworkers to better protect it.
Doing stuff like this doesn't advance that goal, and actually hinders it. Now a bunch of people think the security team is full of assholes and the lesson taught is "the security team will trick you, get you in trouble and also good things never happen here".

They now know that they could face a breach from an enticing phishing email, which isn't actionable. What do you do with that information that you shouldn't have already been doing?
The cost is that now when someone does something like actually fall for a phishing attempt they have less reason to trust that security is on their side, and more reason to brush it off and try to obscure it to avoid getting in trouble with security.

A better way to train users is to use rewards. Tell them you're running a phishing campaign and properly reporting it gets a chance at a gift card or prize. Then tell them you're going to keep doing it, and that legitimate phishing reports also get a chance.
It costs you $100 a month, no one is mad at security and it's easier for users to see it's an excercise rather than an attack.

Given the giant splotch of charcoal soot on the ground next to the table, my guess would be someone thought their charcoal starter went out, brought it back to the table to investigate and learned that charcoal doesn't look like it's burning when it's at its hotest.

Why wouldn't you join a wait-list? It's not like it costs anything, they're just sending you an email.

"I see you for who you are, you are valid, and you still suck" is a "delightful" take.