Daniel Miessler's Blog, page 103

You'll like the typography better at Why Benedict Evans is Wrong About Voice Interfaces.

—

Worse, even if you do create hundreds or thousands of such queries (which Amazon is trying to do with Alexa Skills), you haven’t solved the problem, since there is no way for the user to know what they can ask, nor remember what skills Alexa does and does not have. The ideal number of skills for such a system is either 3 or infinity, but not 50 or 5000.  

This means voice can work very well in narrow domains where you know what people might ask and, crucially, where the user knows what they can and cannot ask, but it does not work if you place it in a general context. That, I turn, means I see these devices as, well, accessories. They cannot replace a smartphone, tablet or PC as your primary device. 

Source: Smart homes and vegetable peelers — Benedict Evans

If you’re not following Benedict Evans’ work, you should be. His annual presentation on the state of tech is among the top three such reports in the world in my opinion.

But I do occasionally disagree with him. When we talked in person he dismissed the idea of understanding a long-term strategy for consumer IoT, basically saying that everyone knows the grand strategy, and that the only thing that matters is the next steps. I disagree. I think companies like Google, Apple, and Microsoft should be talking a lot more—even this early—about the overall lifestyle integration play that we’re all moving towards.

But more tactically, I think Benedict is wrong about voice interfaces. He’s made points like this many places:

ML means we can use voice to fill in dialogue boxes, but the dialogue boxes still need to be created, one at a time, by a programmer in a cubicle somewhere. That is, voice is an IVR – a tree. We can now match a spoken, natural language request to the right branch on the tree perfectly, but we have no way to add more branches except by writing them one at a time by hand.

I think the solution here is fairly straightforward, although not trivial.

The voice platforms simply need to capture enough ways to say the same thing that they reach a certain confidence level across the population as a whole.

People don’t need perfection from their lifestyle tech, but they need a high confidence rate. I don’t study this, so I’ll just say 9/10, or “usually”, or “the vast majority of the time” is the standard we’re shooting for.

With a voice interface there are only a certain number of cases we need to execute perfectly on before that particular use case (say, asking about the weather) is considered perfected.

I’m really just guessing on these numbers, but I think they’re in the right magnitude.

There are probably a dozen common ways to ask about the weather (who knows, could be higher), but as you get to the second dozen those scenarios get dramatically less likely. And at, say, 36 different ways, you’ve probably covered the 99.9%.

Now it’s a matter of collecting use cases:

News
Weather
Sports
Calendar
Communication with friends
Reminders
Home entertainment
Timers
Math calculations
Recipes
Trivia
Questions about the assistant itself
Swearing at the assistant
Meaning of life questions
Etc.

The list will be large, but humans are (usually) remarkably simple and predictable beings. We wake up, we want the news, we make coffee, we eat breakfast, we go to work, we sit in traffic, we talk to our friends, we sit in traffic, we come home, we watch television, we get ready for the next day, we goo to bed. And we do this a number of times before dying.

Those are use cases—all of which need their own potential invocation options mapped. But they don’t need to be perfect. They only need to hit that magical number of “very high” confidence.

By definition, most people will use the most common ways of asking a given question, and once you map the space around those most common methods adequately I think we will be able to reach “good enough” fairly easily. It’ll be hard work initially, but it’ll level off quickly because human speech doesn’t evolve quickly enough to present this as a problem.

Nobody’s going to come home one day and say, “Illumination request initiated.”, or “Lux go now”. And even if they did, they shouldn’t really expect that it would work, and wouldn’t be upset that it didn’t.

In short, I think Benedict is overestimating the number of combinations that need to be mastered to hit the feeling of “Minimum Necessary Confidence” that’s required to transition voice interfaces from novelty to everyday infrastructure.

To his credit, he’s also said he could be wrong about this. And I’ll say that as well. It could be that I’m wrong about how many combinations there actually are for each use case, thus making the mappings prohibitively numerous to achieving Minimum Necessary Confidence.

We’ll have to see, but I’m betting this will just take 2-3 years to get us there for most of the use cases I’ve listed above.

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

You'll like the typography better at The Future of Attack and Defense is AI.

—

I wrote recently about how AI’s biggest advantage in security—at least in the short term—will come from improving coverage rather than analysis quality.

I was talking specifically about things like detection of threats within a SOC, or finding asteroids that might hit earth, or listening for dangerous conversations in millions of phone calls. Basically, any situation where there just aren’t enough (trained) humans to look at what needs to be evaluated.

But there’s another use case for AI as well, and that’s on the attack side—along with its mirror image on defense.

Emulating crowdsourced security

The key advantage of crowdsourcing security—especially where the scope is large and relatively open—is that hundreds or thousands of people looking at a particular target can find the nooks and crannies that a single person might miss.

This is true just due to human nature. People have biases and experience that skew how they test. They also have limited willpower, organization skills, and time available to do a given test, so individual testers can sometimes miss minor things. And minor things can sometimes become major things.

Crowdsourcing security doesn’t solve this, but it addresses it. It takes the weaknesses of hundreds or thousands of testers and lays them on top of each other so that after many such layers you eventually cover all the surface. Someone might miss something obscure, but it’ll be caught by someone else.

This function will be taken over by AI, which will look something like this:

Automated Information Gathering

--> Data Normalization

--> AI Algorithms Extract Best Targets

So elite attack teams will basically rig up extraordinary automation systems that constantly crawl and parse the entire internet, with special focus on certain targets, and then take all the data they find and put it into a format that can be consumed by various types of algorithms.

Instead of needing 10,000 elite people to parse all this data and look for gems that could yield results, you can instead have your best algorithms looking at that same data, and only need dozens—or a few hundred—elite attackers to get the same benefit.

So the better the data gathering gets, or the algorithms, or the few human attackers, the better the results with less time and cost.

And it’ll be exactly the same for defensive teams.

They’ll have massive automation farms constantly polling their attack surface, extracting information from it, and putting that information into a lake format that can be parsed by their own algorithms.

Then their highly trained Blue Team will review the recommendations that are surfaced by the algorithms, which will be the weakest points, the most likely points of attack based on what attacks are being seen in the wild, based on the most likely threat actor, etc.

In five or ten years the amount of infrastructure that’ll be out there, and the amount of data it’ll be generating in terms of attack surface monitoring, will be far too much to every catch up with using humans. There’s no amount of training, online courses, university education, or any other method that can create millions upon millions of trained infosec analysts. It’s a fantasy already, and it’s only becoming less and less possible as the Big Bang continues to expand.

So what we’ll have is the battle of the algorithms.

Attacker algorithms crawling everything and telling the humans where to focus, and defender algorithms crawling everything and telling them where to defend.

This probably isn’t the AI-to-InfoSec interaction you thought we were going to get, but I think it’s the one that’s coming.

Notes


Max Tegmark and Sam Harris think that human-AI hybrids will have a short half-life, and I agree with that. Once AI becomes general, and is able to improve itself, even the pieces that humans had to do will get replaced. But we’re somewhere between 10 and 50 years from that according to most experts. My personal guess for AGI is around 15 years, but that’s just a feeling as a non-expert who’s read a lot of books about it.
The explosion of new business systems and the data they create will be one multiplier to the data out there. The second factor will be the fact that we’ll want all existing and new systems to create vastly more data so that algorithms can make sense of it. And the third (and perhaps biggest factor will be the explosion of IoT, which will create far more devices that create far more data.

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

You'll like the typography better at Third-party Questionnaires Are Security Theater.

—

by Rob Donnely

If you’ve been in InfoSec for a while you probably have significant experience with third-party security questionnaires. They’re the new firewall, basically. Everyone is asking everyone else if they have one.

I’ve been troubled for years by the whole charade, but I just put my finger on the reason.

Third-party security questionnaires are the equivalent of asking someone if they’re an axe murderer with bodies their basement.

As it turns out, most people say no to this question—including most axe murderers. So the value in the process seems to be finding the rare sociopath who says yes.

Here’s 95% of security questionnaire interactions reduced to three sentences:

COMPANY: Hey, question for you. Do you put customer data at extreme risk through gross negligence?

VENDOR: Nope.

COMPANY: Whew! I was worried about that. Glad I asked!

Cool assessment, bro.

Basically, nobody has time to do basement inspections, so asking people nicely is the only option we have.

InfoSec departments are becoming security questionnaire farms, passing forms back and forth like currency.

It’s like echo talking to chargen with no actual work getting done.

Most companies have dozens, hundreds, or thousands of vendors that they deal with, and in order to show due diligence they need to ask most of them if they’re doing these special 743 things.

I regularly see 25-75% of security teams’ effort focused on sending and answering these questionnaires. It’s a full-time job, often for multiple people. And if you ask most people on an internal security team if they give honest answers when responding, you’re likely to get aggressive laughter or a red-faced stare at the ground.

Everyone is lying, and everyone knows it.

And here’s the worst part: sometimes you will see an honest response.

Yeah, so, actually, we don’t have backups yet. Or a logging solution. Actually, to be super transparent, we’re in the process of standing all of this up right now.

Wow, refreshing. So you tell the business and they respond back that they really like the product so they’ll accept the risk.

Cool assessment, bro.

The sad truth is that an actual assessment of a company’s security, to really determine if they’re keeping your data safe, is essentially impossible to do for even one vendor if they’re doing their best to hide things from you.

I’ve seen and heard of dozens of examples where an in-depth assessment team—with full support and transparency from management—still takes days or weeks of interviews and technical review to uncover the worst security flaws in a company. All this while industry-leading auditors are also onsite putting their “all clear” stamp on the same company.

So a dedicated team can be onsite for days, with full management and staff support and transparency, and still not find the dead bodies, but we think an outsider sending a form is going to somehow reveal the truth?

It’s fantasy, full stop.

But this isn’t to say that some good doesn’t come out of third party assessments.

If you ask someone if they’re extremely negligent with your data, or if they go on killing sprees when the sun goes down—and they say yes—that is in fact useful information to have. There’s also the PCI effect where companies are trying to improve their posture so that they have to lie less when they respond to the questionnaires.

In this industry we take whatever wins we can get.

As with any security theater, the real problem here is the disconnect between how much security people think they’re getting from security questionnaires vs. how much they’re actually getting.

If I had to put a number to it, questionnaires rate at something like a 2/10 in security effectiveness, and many people think they’re getting something like 8/10 from the process.

That gap has consequences, and it’s time we start talking honestly about it.

Notes


There are actually companies that do security questionnaires well, and get significant value from the process, but I contacted both of them and they weren’t able to speak on record.
An earlier version of this essay appeared on the IOActive blog.
Many people cite “due diligence” as a form of value in security questionnaires. I agree, but it’s the same due diligence as asking people if they are serial killers. If they say no, what have you really accomplished?

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

You'll like the typography better at Third-party Security Questionnaires Are Security Theater.

—

by Rob Donnely

If you’ve been in InfoSec for a while you probably have significant experience with third-party security questionnaires. They’re the new firewall, basically. Everyone is asking everyone else if they have one.

I’ve been troubled for years by the whole charade, but I just put my finger on the reason.

Third-party security questionnaires are the equivalent of asking someone if they’re an axe murderer with bodies their basement.

As it turns out, most people say no to this question—including most axe murderers. So the value in the process seems to be finding the rare sociopath who say yes.

Here’s 95% of security questionnaire interactions reduced to three sentences:

COMPANY: Hey, question for you. Do you put customer data at extreme risk through gross negligence?

VENDOR: Nope.

COMPANY: Whew! I was worried about that. Glad I asked!

Cool assessment, bro.

Basically, nobody has time to do basement inspections, so asking people nicely is the only option we have.

InfoSec departments are becoming security questionnaire farms, passing forms back and forth like currency.

It’s like echo talking to chargen with no actual work getting done.

Most companies have dozens, hundreds, or thousands of vendors that they deal with, and in order to show due diligence they need to ask most of them if they’re doing these special 743 things.

I regularly see 25-75% of security teams’ effort focused on sending and answering these questionnaires. It’s a full-time job, often for multiple people. And if you ask most people on an internal security team if they give honest answers when responding, you’re likely to get aggressive laughter or a red-faced stare at the ground.

Everyone is lying, and everyone knows it.

And here’s the worst part: sometimes you will see an honest response.

Yeah, so, actually, we don’t have backups yet. Or a logging solution. Actually, to be super transparent, we’re in the process of standing all of this up right now.

Wow, refreshing. So you tell the business and they respond back that they really like the product so they’ll accept the risk.

Cool assessment, bro.

The sad truth is that an actual assessment of a company’s security, to really determine if they’re keeping your data safe, is essentially impossible to do for even one vendor if they’re doing their best to hide things from you.

I’ve seen and heard of dozens of examples where an in-depth assessment team—with full support and transparency from management—still takes days or weeks of interviews and technical review to uncover the worst security flaws in a company. All this while industry-leading auditors are also onsite putting their “all clear” stamp on the same company.

So a dedicated team can be onsite for days, with full management and staff support and transparency, and still not find the dead bodies, but we think an outsider sending a form is going to somehow reveal the truth?

It’s fantasy, full stop.

But this isn’t to say that some good doesn’t come out of third party assessments.

If you ask someone if they’re extremely negligent with your data, or if they go on killing sprees when the sun goes down—and they say yes—that is in fact useful information to have. There’s also the PCI effect where companies are trying to improve their posture so that they have to lie less when they respond to the questionnaires.

In this industry we take whatever wins we can get.

As with any security theater, the real problem here is the disconnect between how much security people think they’re getting from security questionnaires vs. how much they’re actually getting.

If I had to put a number to it, questionnaires rate at something like a 2/10 in security effectiveness, and many people think they’re getting something like 8/10 from the process.

That gap has consequences, and it’s time we start talking honestly about it.

Notes


An earlier version of this essay appeared on the IOActive blog.
Many people cite “due diligence” as a form of value in security questionnaires. I agree, but it’s the same due diligence as asking people if they are serial killers. If they say no, what have you really accomplished?

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

You'll like the typography better at The Ability to Fake Voice and Video is About to Change Everything.

—

Most people think the way AI is going to significantly impact society is by taking all our jobs or creating robots that try to kill everyone. But while we focus on all the distant or unlikely impacts of artificial intelligence we’re about to get completely blindsided by a very real and practical one.

The ability to imitate anyone’s voice or likeness in order to falsify evidence.

Once again porn is the innovator.

Lyrebird is a service that lets you upload a minute of your own voice, after which you can hear an AI speak in your voice. And the new thing in porn is putting celebrities’ faces on porn actresses. And then, within a few days, that evolved into people putting their friends into porn scenes.

It’s a bit disorienting to hear about these things. Like they mess with reality in some way. And that’s what I want to try to unravel here.

We are about to see an arms race between forensic analysis that can detect fakes, and increasingly sophisticated AI that more perfectly mimics the real thing.

I think there are two main ways this will affect our reality in a major way.

There will be lots of voice recordings and videos in the world that make it look like people did something that they didn’t. This is the obvious one, and it’s pretty clear from the fact that this just started and the tech is already pretty good that the fakes will soon be quite convincing.
The bigger impact, however, is that the better the fakes get the more people will be able to deny horrible things they actually did and that were actually recorded.

You have a voice recording of a politician admitting to a murder? Fake. You have a video of someone committing adultery? Doctored. You have a picture of someone robbing a liquor store. I was framed.

And this is just the first second of the rest of human history.

A few years ago AI couldn’t even find common objects in photographs, and now it’s finding problems better than doctors with over a decade of training. Now it’s giving people the ability to make it look (and sound) like people have done something they haven’t.

People often believe false things with no evidence. Imagine when they have high-quality fake evidence.

Once we gain the ability to falsify the authoring of action—in a way that can convince most people—we not only grant legitimacy to things that didn’t happen, but we remove it for things that actually did.

It’s hard to understate this because nothing is more fundamental to the infrastructure of human trust than seeing or hearing something. It’s the invalidation of our most basic truth-sensing abilities.

This is about to blindside us as a society. The only question is how much and how fast.

Notes


Gives a whole new meaning to “fake news”. It really might be this time. Or not.

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

You'll like the typography better at Unsupervised Learning: No. 109.

—

This post contains the supplemental content for this week’s episode of Unsupervised Learning. Some people prefer fewer stories in each show while others prefer more, so I’ve solved that problem by keeping the main show tightly curated and making all the extra stories and links available to members here. It’s basically an unabridged version of the newsletter for members.

This week’s topics: Social engineering, breach impact, Chinese turncoat, Android spy kit, Hawaiian OPSEC, Russian cables, bypassing CloudFlare, technology news, human news, discovery, notes, recommendations, and the aphorism of the week…

Listen to this week’s Podcast

Read this week’s Newsletter

Become a Member to Get This Week’s Supplemental Content

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

You'll like the typography better at Site Traffic Metrics for 2017.

—

I finally took a look at my site traffic for 2017, and it was fairly respectable.

~ 3 million pageviews
~ 2 million users
People hang out on the site for around 50 seconds (mostly for tutorials)

I’m looking to get more traffic to my non-technical posts as well this year, but I think most people will still come via Google surfacing my tutorials.

I think the popularity of the podcast & newsletter (Unsupervised Learning) might shift that balance a bit by adding some essay traffic when I point to pieces there. The growth of the show and newsletter in 2017 was insane—basically going from 3K readers to over 15K.

The most popular content on the site has been somewhat stable, with a few newcomers. The most surprising (and depressing) one is my article on existentialism, where I talk about the difference between existentialism, nihilism, and absurdism.

Browsers are interesting, with Chrome still dominating but Safari showing strongly. I wonder if 2018 will be the year that Android overtakes Firefox.

The OS stats are even more interesting, with Android beating out macOS, and iOS almost even with it. And I’m more proud of those Linux numbers than I probably should be.

And if I look specifically at mobile traffic, the story is pretty clear there as well.

Anyway, quite happy with the site’s performance over the year, and I’m looking forward to seeing how it does in 2018 now that I’m fully converted to the new design.

Thank you for reading.

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

You'll like the typography better at Unsupervised Learning: No. 108.

—

This post contains the supplemental content for this week’s episode of Unsupervised Learning. Some people prefer fewer stories in each show while others prefer more, so I’ve solved that problem by keeping the main show tightly curated and making all the extra stories and links available to members here. It’s basically an unabridged version of the newsletter for members.

This week’s topics: Hawaiian false alarm, customs searches, Chinese iCloud, Alexa on Windows 10, Snail Blackmail, Overstock bitcoin confusion, browser botnets, technology news, human news, discovery, notes, recommendations, and the aphorism of the week…

Read this week’s Newsletter

Become a Member to Get This Week’s Supplemental Content

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

You'll like the typography better at We’re Moving to the On-Demand Curated Experience (OCE) Economy.

—

image by Christian Koepke

I’m not interested in technology for its own sake. I think it’s interesting precisely where (and because) it intersects with our daily lives. We’re at the beginning of many such intersections right now, but one that I’m particularly interested in is The On-Demand Experience Economy.

Traditionally, we’ve done two things related to items and experiences:

When we wanted something, we had to go get it. This could be at a store, at a restaurant, or some designated meeting place where an exchange will happen.
When we wanted something, we had to purchase it outright. There are exceptions for renting houses, or cars, but most things you had to buy in order to experience.
If we wanted to know what the best things were, we had to do a lot of manual work to figure this out.

These three things are not only changing; they’re also merging.

Amazon has forced everyone who makes something to learn how to have it delivered to you. So either they use Amazon itself or they suddenly develop a high-quality and fast shipping service that gets you goods at Amazon speeds. The alternative is (usually) to go out of business.

This is a big problem for Amazon’s biggest competitors, which are large stores like Walmart and Target. Amazon is getting better and better at replacing these stores via free shipping, a better selection, and—quite significantly—not requiring you to go anywhere. You can just order and have the stuff show up at your house.

There’s a halfway step in there as well, which is where you still have to drive to the store, but all the stuff will be paid for, bagged, and ready for you to pick up when you get there.

If you look at tech startups, new services coming out, and general product and service innovation you can see this doesn’t just apply to supermarket and grocery items. There are companies who will come to where you are and pick up and drop off your laundry. There are companies that will fill your car with gas wherever it’s parked. And lots more who will give you manicures, haircuts, or whatever other personal service you need—without you having to go to a business.

That’s the on-demand piece, and it’s one of the reasons (along with limited selection) that the malls are dying.

image by Andrik Langfield

The second piece is experience, and it’s orthogonal but arguably even more powerful. The idea is that people will be able to experience high-end products and locations (and people) without having to fully commit to a purchase or otherwise long-term relationship.

Traditional examples would be something like cars. Not many people have ever driven a 911 in their lives. Or an M3. Or a Corvette. And maybe they would love to do this, but could never afford to buy such a car. Or maybe they have a family and need a minivan, so even if they could afford a Corvette it wouldn’t be practical.

This experience component is making it so that people can own that BMW—just for the weekend. They don’t have to commit to it. They don’t have to give up the minivan. And they don’t have to pay the higher cost of ownership for more than a few days. But for their trip along the California coast they get all the benefits of their dream car.

Now imagine this for most nice things you might want to have access to, but not necessarily own. Golf clubs. Semi-automatic weapons. A small plane. A boat. A high-end gaming computer. A travel laptop.

One class of items where this probably won’t be as popular is personal items like clothes and shoes.

But let’s think bigger. Let’s say you’re planning this spectacular 7 day trip to the California coast, and you’re trying to make it as nice as possible, what else could you include?

How about staying in a nice home in the costal mountains that has a view of the water? YOu’re driving an M3 on those remarkable Highway 1 roads, and you’ve got a set of the latest PING clubs in the trunk. But where are you eating? Perhaps a special meal by a famous chef, hosted at a private home further down the coast.

Suddenly we’ve created an entire getaway, with some extremely high quality products and experiences, and we just paid for their duration—not perpetually. We can’t buy that house in the mountains overlooking the pacific. We can’t buy that M3. And we don’t know any chefs who can cook for us. But through this concept of buying ephemeral experiences, we can have all these things for the amount of time that matters.

I mentioned people, which, if you’re tuned properly, should have given you pause. There will be negative implementations of this (and already have been for centuries), but imagine the work that most comedians put into being funny with a very small chance of doing well financially or being able to make extra money outside the club.

What if you could hire a professional comedian to come drink with you and your buddies? Or what if there was a guy who’s so successful with women that you and your 20-somethings friends could benefit just by being near him at the clubs? Would you pay him to learn how to be relaxed around girls? Would you pay a Marine Biologist to come out on the ocean with you while you fish and answer questions about ocean life?

How about if they were rated with 4.8 stars by lots of people you recognize, as being “one of the most entertaining educators I’ve ever met”.

If I could pay an astronomer or cosmologist to come stargaze with me I would, in a heartbeat. Just to hear them talk, to tell me about the history of the universe, and what they are working on at the time. I give them $200 for a couple of hours, they made some cash, and I had one of the best nights of my life.

People will be able to leverage their skills, abilities, and possessions to make additional money by enhancing other peoples’ experiences.

So if I own Canon’s latest Mark VII Mirrorless camera, and a bag full of the best glass in the industry, I can keep it rented out and make good money of it. And when I need it I simply take it out of experience rotation so that I can use it for my trip. Except your sense of humor is like your camera. And your astronomy knowledge is like a nice car. They are things that you and others can benefit from.

image by Hello I’m Nik

Finally we have curation.

It’s one thing to be able to have good products brought to you wherever you are. And it’s nice that you can have any accessory, in any location, with any companion, when you want to experience something.

But what should you do? What music is best for this occasion? What does the ideal trip to the California coast actually look like? Is there a particular house/car/food/activity combination that would make it an especially rich experience?

Maybe you heard that your friend rode bikes for 50 miles, then rowed boats out into the ocean and then dove to see turtles, and the fourth grandson’s cousin of David Attenborough was the wildlife guide. Then you parasailed back and rode motorcycles to your cabin in the mountains, where you listened to a storyteller with genuinely frightening ghost stories.

The point is, that was a thing. It’s a thing that they did that 1) you’d never think of yourself, and 2) you wouldn’t have any idea how to set up.

There will be entire professions based on surfacing the best things in life to you, and then removing the maximum amount of friction towards you experiencing them.

It’s the shave gel that you must try. It’s the ultimate pair of single-monk shoes. It’s the brand of jeans that will replace your AGs. It’s the ultimate combination of foods at the restaurant you have a reservation at in 2 hours.

It’s about the ideal balance between serendipity and optimization. Sometimes you know exactly what you want, and you just need it to be executed perfectly. Other times you just want to be surprised, but in a way that you’ll like. If you’re dainty and hate nature, a hiking trip where you get chased by a real bear will not be “authentic”—it’ll be horrific.

So the magic here is understanding context, understanding preferences, and building the ultimate experience for any given moment. Maybe that’s a stay-at-home dinner tonight for under $12, or maybe it’s the best new cleaning products for the house, or maybe it’s planning a 7-day trip to Iceland.

Summary


We’re entering a new life-tech intersection that I call the On-Demand Curated Experience (OCE) Economy.
Things will come to us instead of us going to them.
We will have access to accessories, products, locations, and companions/guides/expertise that we can leverage for short amounts of time when we need them.
Having access to these high-end people, places, and things for short periods will constitute our migration away from owning to experiencing.
We will have curation services that can recommend most anything to us at any given time, from what we should eat right now within 2 blocks, to a career path for your newborn child based on your desires and values.

Some will object to these trends because they seem focused on the haves vs. the have-nots. Others will say that the experience economy turns everyone and every thing into a prop for someone to enjoy. Then some will argue that curation removes the joy of natural discovery. All three of these objections resonate with me, but I think the benefits will outnumber and overpower the negatives over time, regardless of our objections.

I personally look forward to the positives.

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

You'll like the typography better at 5 Free Images Sites to Use Instead of Google Images.

—

Google Images is still best if you want to see a picture of something. But for content creators there are a number of problems.

It’s not super easy to tell when you’re allowed to use an image or not, and if you care about being courteous to artists and photographers, this matters.
The site is infested with stock images, which—if you think about it—are nothing but advertisements.
If you create a lot of content, you’re likely to be using the same images as other content creators, and after a while it cheapens the look of your site, almost like using clipart from the 90’s.

Happily, there are better alternatives for quality and free images that you can use for your blogging.

1. Unsplash

2. Pixabay

3. Pexels

4. StockSnap.io

5. Negative Space

Notes


Even though these sites have non-copywrited images, I still recommend including the artist / photographer’s name under the image you use (when available). It’s just the right thing to do, and spreads good karma among fellow creators.

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!