* Posts by mmccul

89 publicly visible posts • joined 10 Sep 2017


Splunk alleges source code theft by former employee who started rival biz


Maybe reach out again for comment?

I see cribl has posted a response at https://cribl.io/blog/cribl-denies-splunk-allegations/ and I've been told they have fixed their email address for media inqueries. (No connection here with the company, I just know where to mention such things)

Businesses should dump Windows for the Linux desktop


Re: Real World...

There's been a shift over the past ten years or so on "what does admin rights mean on the desktop?" I've been watching it first in the macOS space, but a lot of the arguments over there apply equally well to the Windows side that the standard user rights already can do a lot of the key things an admin can, and lack of admin rights don't prevent some of the most critical damage types seen by attackers today who are interested in your data (exfiltrating or destroying). It doesn't take admin rights to copy files out of your documents library location, or your network file share, or to write to those locations either. It doesn't take admin rights to install a web browser plugin.

Before one talks about admin rights and removing them as a knee-jerk reaction, one needs to ask what can those rights do that cannot be done by a standard user? You might be surprised. That leads more naturally to going back to the questions of what are the risks, what is the threat model in question, and how do we reduce the likelihood of initiation or likelihood of adverse effect of said risk vectors.

Good security requires work, regardless of your choice of operating system. Reflexive operating system bashing is unproductive and I would argue, generally unprofessional.


Re: LibreOffice is not as good as MS Office

At work, the top feature I use of office is communal editing.

I have several word documents and excel documents. A team of four (or more) people are actively, throughout the day, editing these documents. We can't be emailing them back and forth, we need our edits to reflect immediately.

We need to be able to see a log of who changed what. We need good visibility of proposed changes and comments.

All of that, we have with the current generation of MS Office with the O365 plugins.

Are there alternate ways of doing some of this? Of course. But the technical barrier of entry is very low. I don't have to teach the less technical members of the team some tool to make things work or collect the data needed for status updates.

Never underestimate the power of an effective visualization. I spend a lot of time in tools like Splunk figuring out the right visualization to most effectively communicate to non-Splunk experts.

Bad news, older tech workers: Job advert language works against you


Re: Don't know about that

Disclaimer, I do a lot of writing for different audiences.

The rules of writing are not a single body. They differ depending on the audience. Use of hyphenated adjectives, expected for some audiences, gauche to others, being just one example. Starting a sentence with a conjunction, even if theoretically permissible in many cases, is considered sufficiently poor form as to be indicative of bad sentence construction by most audiences I work with, indicating that the sentence should be reworded.

I remember talking about some of the differences in expected writing styles of journalism versus literature once, and even core word choice and punctuation rules were quite different. In my job, I have to write very differently for standards language than I do for compliance language or run book language. Even something as basic as active versus passive voice, many forms of writing I work on professionally explicitly prefer passive voice.

Broadcom's VMware buy got you worried? Give these 5 FOSS hypervisors a spin


Beware the Oracle

I've seen companies issue urgent "remove all VirtualBox instances now" warnings, time and time again over the past several years. Turns out, Oracle loves to find companies using such, try and force an audit on them that will cost the company a lot of money even if they are in compliance, and if they find even one user who without thinking is using it commercially in a manner only licensed for personal use, hit the company with huge penalties. It was literally cheaper to buy alternatives for users than to go through such audits for a "free" software product.

Did ID.me hoodwink Americans with IRS facial-recognition tech?


NIST SP 800-63a issues

Having recently had to re-read NIST SP 800-63a, the Identity Assurance Level (IAL) tiers of what constitutes IAL-2, there is a small part of me that feels sorry for the IRS. More than likely, someone told them they have to meet IAL-2 for online access to taxpayer data. That's hard. A lot of what I've seen around the id.me stuff has been, if not something to make me feel good, at least something I can sort of understand in the context of IAL-2.

Section 4.2 statement 10 actually encourages the organization to conduct a fairly vaguely described fraud mitigation mechanism. I'm not overly conversant on the fine details of SP 800-63a, so I can't say that id.me followed the additional rules in it. But I can at least feel some understanding for what's going on. When someone I knew went through the id.me process some months ago, we compared each requirement of id.me back to the document and couldn't find any case where they weren't following a plain reading of the rules, even the steps that made us concerned were clearly listed as things they were supposed to do. I won't say I'm happy about what happened, but if we want to prevent such things from recurring, we need to understand what rules may have caused people to select a certain approach, or the next company to come along will do much the same thing, just with slightly different marketing.

Microsoft makes account switching easier in its web and desktop apps


Browser profiles?

Instead of using a guest profile, why don't more people use persistent browser profiles? Especially on my work computer, I use multiple profiles so that it feels like just a separate window of the browser logged into different accounts. Side benefit is I get different sets of cookies that are persistent, so other vendor websites or services can be bound to the correct account automatically.

IBM deliberately misclassified mainframe sales to enrich execs, lawsuit claims


Re: Now we have hybrid cloud

Not defending IBM, but NIST actually has a fairly clear definition of different cloud models in NIST SP 800-145. They do define hybrid cloud there as well.

I started referencing the NIST definitions of what cloud means and the various models recently, ended a lot of potential arguments.


Not just publicly traded companies.

"We need to maximize revenue in category X!"

Answer: Shift several projects having nothing to do with that category into it, then declare that category strategic and everything else "legacy" (and therefore an area to get out of, even if it makes lots of money for the company).

I've seen it at all kinds of companies. If it isn't about propping up stock price, it might be about pumping up perceived value for private equity firms.

Half of bosses out of touch with reality, study shows


Re: Easing?

Two kinds of managers. Those that manage up, and those that manage down.

I've had great upward managers. They described their job as basically blocking all the flak sent our way. They'd find out priorities from on high, push back on things that would cause us grief, and if they did their job well, we'd never know how much they successfully resisted, because it wouldn't come near us. (Until the casual conversations weeks later where they'd mention what was going on earlier).

Downward managers are the ones who look down at the team a lot more and provide day to day direction more.

When I have more senior teams, that's when I usually want an up focused manager. I don't need their daily help, I need them to stop the nonsense, prevent little griefs from being big ones.


Re: I don't know about anyone else

Around fifteen years ago, when I had a guaranteed 100% WFH tech position, I estimated I was saving around $5000 per year in costs I could clearly articulate. A significant amount of that cost (but hardly all) was based on the IRS mileage rate for driving myself to and from the office. Approximately 230 days of work per year (50 weeks (two weeks of standard holidays) -> 250 days, but take off 20 or so for vacation days and sick days and a few random days to get a nice round number), it was right around $0.52/mile, so ~$240/mile from the office per year. At the time, I lived around 20 miles from the office, so $4800 just for wear and tear, gas, etc. expenses of the commute.

Today, I'd calculate my hourly rate and add in the cost of that to the commute for the estimate and yeah, if someone offered me $7500 less per year for a guaranteed "work anywhere in the country"? I could see a lot of people going for that. If they wanted $10k less? I'd probably consider it a negotiation point and go from there -- if I really wanted the position.


Re: Bollocks statistics

I never understood how people took an hour for "lunch". Had one employer get upset at me for not working 45-50 hours/week. Their excuse? "You have to take time for lunch". I pointed out that I brought my lunch every day, took under five minutes to heat it if necessary, returned to my desk and kept working. I never agreed to a split schedule of mandatory "really working but pretending not to work for an hour or more every day".

(Side effect, I saved a lot of money each year by not purchasing an overpriced meal from the corporate cafeteria that really wasn't that good for me anyway).


Re: Bollocks statistics

I've successfully resisted this culture. One way I did is emphasizing every year in "annual goals" that my number one goal is "Maintain gainful employment without significant adverse effect to health or family." When I send someone an email outside what I know their standard hours, I'll put an explicit "When you get in" to emphasize that I do not expect them to respond to the email before their standard day.

As a consultant, I keep track of my hours and tell the client "I'm going to hit 40 hours billable at such in such time Friday, so I'll be leaving then." I don't ask, I tell. If a client has a problem with it, they can ask the next week if I would be willing to work overtime.

People with a certain seniority need to lead by example. You may not be a "manager", but if the company values your time and you start emphasizing the work life separation (not balance, separation), others are more likely to follow your lead.

Scam, pyramid scheme, environmental disaster: Vivaldi boss shares his thoughts on crypto-coins


Re: Wall Street?

Regarding signing of vaccination status, check out the smart healthcare card format (SHC). Some areas already use it to issue digital vaccine statements that are cryptographically signed by a known entity (e.g. the state of California). No blockchain required, just ordinary cryptographic public key signatures of an agreed data structure.

'IwlIj jachjaj! Incoming LibreOffice 7.3 to support Klingon and Interslavic



The libressl team, in the wake of heartbleed which spawned the project, eliminated tens of thousands of lines of code in the first few weeks of the project existing. That code was never going to come back.

Yes, software (OSS or COTS or custom build) can get smaller, but it does take some discipline, something that is often lacking in any codebase (not just OSS).

Spruce up your CV or just bin it? Survey finds recruiters are considering alternatives


Coding is not the end

Coding interviews miss the point. How does the candidate work with the team? Do they demonstrate an awareness of process? Can they demonstrate an understanding of ways to juggle competing requirements for the code? I used to say that the job was at most one third technical skills. The other two thirds were general problem solving and people skills.

Who knew, hiring is hard.

Cisco requires COVID-19 shots for all US staff – even remote workers


Re: how to prove it

In California, all COVID vaccinations are reported to the state vaccination database, even the pop-up clinics, and you can download a cryptographically signed smart health card (QR code) that includes name, date of birth, and vaccination data. The database already existed for all other vaccinations, what changed is a website for end users to obtain the evidence (at IAL-1 level) of an individual being vaccinated. That QR code saves directly to both android and Apple mobile devices for production readily, and there are also apps that can display the code readily in forms used for travel (as well as test results).

After looking into the SHC technical specification, I was pleasantly surprised at it. A lot of things were well thought out.

Doesn't help those not vaccinated in California, but for many people? It's a nice thing.

Customers warn Gartner of AWS's high-pressure sales tactics in latest verdict on public cloud providers


Sales pressure

Gartner has a strong reputation for engaging in behavior that if you are feeling exceedingly polite and generous, would be called high pressure sales tactics on companies to be included in their listings as well as "improve" their ratings. For them to warn about another company engaging in high pressure tactics feels more than a little ironic.


Re: Public?

Gartner has credibility still?

The common factor in all your failed job applications: Your CV


Re: CV's top tips

Last time (many years ago) I was interviewing for jobs, I got asked why I wanted a given job, and I told the recruiter they needed to convince me I should take the job, I was interviewing them at least as much as they were interviewing me.

Yes, I was offered the position.

Train operator phlunks phishing test by teasing employees with non-existent COVID bonus


Re: spelling mistakes, a really obviously bad url

Actual phish emails I analyze haven't been typo riddled in a year or more. I get more typos and grammatical mistakes I see in the legitimate emails.

Also, spearphishes are very often crafted quite well, including personal references.

Don't train people on the exact wrong indicators.


Re: spelling mistakes, a really obviously bad url

The standard is any email from outside the corporate email system that is legitimate needs to have at least three business days in advance, a warning from the appropriate group inside the company, warning that the outside email will occur, including a description or mockup of the email to be received. If the emails are going to be regular/common, then state that in the warning email. If there is a response required, then that will be highlighted in the mail system, often with a second path warning of the coming emails that doesn't go through email, such as a notice through the supervisor.

If the email came from the corporate email system, then it was a bad test.

Modern phishing training that is any good does not talk about spelling mistakes or "obviously fake domains". They instead emphasize external sources, artificial sense of urgency and lack of corroborating emails from the official corporate email system.

Yes, I've worked at shops that implemented that rule, and it significantly cut down on the phishing damage.

US declares emergency after ransomware shuts oil pipeline that pumps 100 million gallons a day


Air gap can be hard

Several times, I've heard of supposedly air gapped systems that were connected to a command and control network, legitimately, which was connected to an administrative network, with all the sysadmins knowing that, but that admin network was connected to the ... and eventually, to the public network. Each link seemed appropriate in isolation, but not together, and no one realized the overall chain of links until something happened to demonstrate it.

It's not a new problm, and it doesn't have to be malicious incompetence. Air gapping a single server is easy. Air gapping a network of systems that need to talk to each other to do their primary function is much harder.

Microsoft realises constant meetings stress people out, adds Office 365 settings to cut them short or start them late


Alas, one manager I had was a triathlete. Running for a few hours would not be abnormal for them.

Microsoft president asks Congress to force private-sector orgs to admit when they've been hacked


California has almost this

California's breach notification laws are surprisingly powerful tools. Yes, there is an escape clause if the personal information was encrypted (and yes, it is defined enough that double ROT-13 doesn't count). Yes, it has to impact 500 residents of California, but it's surprisingly powerful, to the point that long before I lived in California, I had to be aware of it routinely. The long arm clauses makes even businesses that don't "exist" in the state still have to notify people of breaches, so reorganizing in Texas or Delaware doesn't protect the business.

As I understand, New York State also has similar laws, though I have not sat down and analyzed them.

I suspect that some of these companies would like to see a single federal standard breach notification law rather than state by state requirements that differ slightly in what constitutes personal information, what protections exist, etc.

Big Tech workers prefer 3 days at home, 2 in the office. We ask Reg readers: What's your home-office balance?


In my experience, your critical coworker is remote, no matter what. They may work in a different city, or even country. Twenty years ago, to deal with precisely this problem, I required a team member who was the only one in that office from my team to stop coming into the office for two weeks. The result was people stopped treating that person as the only person on the team and started working with the team as a whole.

Building socialization methods for those who work in different cities from you is important, precisely so you can have those casual bounce ideas off the wall conversations. Thinking that you can only socialize with or work effectively with those in the same office as you encourages a culture that I never have believed was sustainable.

If you're a WhatsApp user, you'll have to share your personal data with Facebook's empire from next month – or stop using the chat app


Account deleted

Well, that gave me the last bit of incentive I needed to delete my whatsapp account.

Search history can calculate better credit ratings than pay slips, says International Monetary Fund

Thumb Up

The above is one of the most best explanations of how real world traffic analysis is done I've seen in years. Throw in some well known network security tools that have been around for many years and one can even automate #4. The larger the ISP, the fewer original requests they have to make because they can build up a profile for comparison.

US Treasury, Dept of Commerce hacks linked to SolarWinds IT monitoring software supply-chain attack


Could be scarier than one might expect

Where I've seen Solarwinds implemented, the tool was often given administrative credentials to not just the networking gear to pull credentials (and restore them if they change without authorization), but also to perform discovery on Linux systems. Despite having well documented "these are the only sudo permissions needed on Linux", I see many shops just gave it full root.

Often, I was asking admins to choke down the access and there was surprise that the tool worked with less than full root.

So, yes, this is a very scary thing to me.

Cybersecurity giant FireEye says it was hacked by govt-backed spies who stole its crown-jewels hacking tools


Re: Freely available hacking tools

Nation state actors are not one skill level. I typically divide them into three teams (A, B, C) based on my experiences observing such. The C team was nothing more than script kiddies running straight from well traceable IPs. The B team was moderate sophistication, but still detectable, nothing a high end defensive tool couldn't detect and deal with as long as my team (I was on the security team that saw the alerts an tuned the tools) was on its game.

Even targeting was distinct between them. C team was pure targets of opportunity, acting often like your normal Internet vandals in targets, distinguished by source IP and a couple other details. The B team engaged in moderate targeting, picking an choosing.

Yes, this is a simplification, but a useful one.

CentOS project changes focus, no more rebuild of Red Hat Enterprise Linux – you'll have to flow with the Stream


Re: To the surprise of no one

Outside GNOME, which I have negative interest in for a server, I haven't found anything that actually likes systemd. None of my daemons enjoy it and many don't work as well, because systemd is so hard to work with.

Oblivious DoH, OPAQUE passwords, Encrypted Client Hello: Cloudflare's protocol proposals to protect privacy


Re: Why DoH?

This is nothing but a grab for your data. I think anyone who believes otherwise is being naive. The new proposal sounds good on the surface, but I strongly suspect all that will happen is a request identifier will start being entered into the query to uniquely and persistently identify most users all the way to the end server. (And source IP is hardly the only way to build such a profile).

Outside this forum, I see no one asking for DoH. Certainly no nontechnical people, and no one who works corporate, IT or security or development. It's a bunch of web advertising companies and CDNs who want to get that valuable DNS query information from you rather than let the ISP have it.

AWS admits to 'severely impaired' services in US-EAST-1, can't even post updates to Service Health Dashboard


Re: I learned SRE at Google

Having seen what is required to reliably provide a legally mandated five-9s service, I believe that no cloud, even multi-region, multi-cloud I've looked at comes close. I've said for years that AWS delivers about 99.7% uptime, year over year. A service that needs five nines, meaning only 5 minutes of downtime (planned or not) per year? That takes a very different mindset about processes like change management, redundancy, etc.

Smaller services are more likely to deliver higher reported uptimes because there are fewer moving parts that can cause widespread failures, but *any* issue impacting the overall service impacts your availability numbers. I don't give credit for "planned" service downtime.

The rule of thumb I still teach is every nine after the first one adds a zero to your cost estimate.

Some day, I'd love a discussion/briefing on what it takes to deliver the six-nines service level.

Thought the M3 roadworks took a while? Five years on, Vivaldi opens up a technical preview of its email client


Re: Fantastic

Using Thunderbird 78, I've just done this for a while.

In the search bar (^K), type in the email address of the person I'm looking for, after a few characters, it suggests the person, click on that, it brings up the filter screen of all emails involving that person. No need to create a custom smart filter temporarily if you just want emails involving an individual. Being able to quick filter in my various IMAP folders is nice as well.

End-to-end encryption? In Android's default messaging app? Don't worry, nobody else noticed either


I had to give up on Signal when messages to a group chat were sent at one time, received by a second phone within two minutes, but the third phone did not get the message until literally the next day, even though the phone in question was in use. It was just far too unreliable.

Apple now Arm'd to the teeth: MacBook Air and Pro, Mac mini to be powered by custom M1 chips rather than Intel


Re: Side note

Coming up on 25 years ago, I was doing sysadmin at a CAD shop using SDRC I-Deas Master Series (super-expensive mechanical CAD software) on HP-UX workstations (C-series was what we were moving to by the time I left, which I admit places this in time pretty well). Windows NT and AutoCAD was "for those who weren't doing serious work", but many of your points about the advantages of cloud CAD were solved way back then because every part had to be checked into a central server library. People would check out a part, work on it, and then using the software's built in version control, check it back in. I don't recall what the underlying VCS was, but it had the concept of formal checkout to lock a part so two engineers (as in mechanical) didn't accidentally work on the same part at the same time. The real reason we needed super-large horsepower was at that time, the CPU and GPU requirements for the serious work were prohibitive for an intel based desktop to get.

Part of my job there was to retrain the engineers to actually check in their components every day and make sure they understood that any changes they failed to check in each day, they should presume that their workstation hard drives would both crash and they would lose all their work.

Too many staff have privileged work accounts for no good reason, reckon IT bods


You've reminded me of a former boss I had when I was a day to day sysadmin.

Near direct quote from said manager of sysadmins:

"If you give me an account on the servers, you get written up. If you give me root to the servers, you're fired."

The manager pointed out, they were the manager, not the sysadmin. They also didn't have the training to be safe as a sysadmin. One of the two best managers I've ever had.


Re: Employ people you trust, trust people you employ

My experience with git repos is that there is a culture in many developers of "give the world access", even to those individuals who have no legitimate reason to access the repo in question. It's a battle I'm currently fighting, that I do not need access to the git repos. My boss agrees with me. But devs repeatedly try and give me access in an effort to make me do their job for them. All because I "might need" access to the repo.


Re: .. all the access they ask for ..

I've been the person who had to explain that no, we are not going to authorize `sudo vi /etc/hosts` for a dev on production or QA (not a made up example) because that gives unrestricted root. You are absolutely correct that many times, the requester does not understand the implications of what they are asking for.

On the other hand, I've also been the person filing an access request. At one client recently, I was appointed the unofficial access requester, because mysteriously, my access requests were always approved. Maybe it was the fact that I spelled out explicitly what the business justification was, and crafted the access request to be the minimum necessary to meet that business justification. It added value to the client, and made them happy, so I was happy to take home the paycheck...

Up from the depths, 864 servers inside, covered in slime, it's Natick!


I guess this means we now have ...

reef computing?

50%+ of our office seats are going remote, say majority of surveyed Register readers. Hi security, bye on-prem


Re: Loss of human contact

Interestingly, I worked on a fully remote team for many years, ending just under a decade ago. Never met any of my peers face to face I worked with for a full fifteen years. Most of the teams in the division (several hundred people) were similar, no more than a couple people per roughly ten person team in the same city, and significant percentages of people working full time remote from home.

The key difference was the recognition among the team that the workplace was not our personal life. I had a more active social life then than I've had ever since. I think those that desire more social interaction will find ways to do so.

As to loyalty? I believe that loyalty comes from how you are treated. When I've had a good manager who treated me well, I've felt more loyal. When I was treated as a replaceable machine cog, I didn't feel overly loyal to the company.

I cannot speak conclusively to your statements on productivity, but even the connectivity of twenty years ago is a radically different situation than the 1960s office. I question if those results are still relevant to the physical office today, or if they instead suggest that smaller focused subteams may be more productive today.

Please stop hard-wiring AWS credentials in your code. Looking at you, uni COVID-19 track-and-test app makers


How many mishandled medical records?

I seem to recall potential criminal liabilities for the mishandling of PHI data written into HIPAA from the training I get evey six months at any company that potentially handles PHI. Yes, there are a few oddities and special cases related to reporting data about COVID more precisely than HIPAA normally allows, but I seriously doubt that the college is exempt from the rules requiring strict proper handling and penalties for mishandling and failure to report such mishandling.

Ed Snowden has raked in $1m+ from speeches – and Uncle Sam wants its cut, specifically, absolutely all of it


Re: Let's make it hypothetical:

You forgot the other item which really firmed up my views. When you have a clearance in the US, if you see something non-public but problematic, or potentially illegal, there is a whole process of "here is how to report it outside the chain of command". That method gets taught as part of the background/introductory training often before the clearance is even issued. From everything I've read, it wasn't even attempted. That lack of attempt at good faith whistleblowing suggests malicious motive.

In another area as an analogy, if someone sees a security vulnerability in a product that stores medical and financial information and reports it discretely, through the company's hackerone account or their security vulnerability reporting system, that's generally seen as a good thing. But, if said individual instead takes that same vulnerability and tells the world and the company about it by dumping personal medical and financial data for the world to see, unredacted, would that individual be celebrated? I would hope not, even if it also exposed illegal practices by the company.

Burn baby burn, infosec inferno: Just 21% of security pros haven't considered quitting their current job


Where to get competent staff?

Since I'm interviewing candidates very regularly for a variety of different infosec roles as a part of my job, I've found that one reason for burnout is the difficulty in finding competent staff. My employer has no incentive to fail to find good candidates, but so few of the candidates sent my way am I able to give a thumbs up for more than a tier-1 secops team staff -- the kind that does nothing but pre-written instructions developed by someone else.

I've seen roles go unfilled for a year or longer just trying to find a competent low to mid level security analyst. Add in any middle to high level skill and expect more of a senior technical security role, and the time can increase even more.

Easier to burn out when people leave and are not replaced, not because management won't let them be replaced, but because no one can find anyone they feel has the skills to be worth the cost of the chair they sit in.

Keep it Together, Microsoft: New mode for vid-chat app Teams reminds everyone why Zoom rules the roost


Re: Audio rules ...

This may sound odd, but I don't want to know what they look like. Not knowing a person's appearance can reduce the risk of accidental unprofessional preconceptions. I don't even post a photo of myself on Teams or similar tools, just an avatar that does not show in any way what I look like. The only time a client objected, I removed all avatars and left it with just the default initials logo.


Re: Keep my Camera on?

Have regular meetings with people in different orgs. The security team members never turn on their cameras. The PMs usually do, until they realize that the security team people on the call won't be silently shamed into turning their camera on, and then the cameras turn off (and performance improves dramatically).

Why would I want to see people who haven't had access to a barber in at least three months and are working from a less than ideal location? I want to hear them and see the app they are sharing with the team, not an image of their face.

When open source isn't enough: Fancy a de-Googled Chromium? How about some Microsoft-free VS Code?


Re: "Replace many web domains in the source code with non-existent alternatives ending in qjz9zk"

.invalid is a better choice since it is explicitly reserved as an invalid top level domain.

Amazon declined to sell a book so Elon Musk called for it to be broken up


Look into the then equivalent publications. Privately published pamphlets and broadsheets handed out on street corners that contained outlandish accusations against political or social enemies. The only real differences are first, cost of publication has gone down for these people. It used to be a moderate expense to reach a few thousand people in a city. Now, that's a lot cheaper. Second, speed is the other difference. It can take minutes for (mis)information to spread across the country rather than days or weeks.

For fun and education, I've read some of the late 1700s pamphlets. It is quite arguable that they played a significant role in the US Revolutionary war, drumming up support, demonizing those who were seen as sympathizing with the UK. I've seen similar pamphlets advertising quack miracle cures for diseases, attacking political straw men, etc.


Re: Tell people what the goddamn guidelines are

Getting any reply at all from a traditional publisher means you probably passed a first pass review.

I'd say getting a generic "rejected" stamp is a positive sign. Someone read it enough to care to stamp and send a reply rather than just tossing it.

Black Helicopters

When I self published a couple fiction novels on Amazon, Amazon had some criteria that I was warned about that could get my book removed. I recall seeing a link to the criteria, but since my next book is nowhere near ready to publish, I'm too lazy to go back and pull it up. As a commercial entity instead of a government, unless the reason falls into a legally protected category, Amazon is free to refuse to do business with someone, and it is merely courtesy to advertise in advance the reasons for such.

As an author, one is not a consumer but a content creator entering into a contract with a distributor. That is a very different situation. There are plenty of other distribution channels one could use and Amazon does not block them even on the Kindle devices.