Daniel Miessler's Blog, page 104

You'll like the typography better at Unsupervised Learning: No. 107.

—

This post contains the supplemental content for this week’s episode of Unsupervised Learning. Some people prefer fewer stories in each show while others prefer more, so I’ve solved that problem by keeping the main show tightly curated and making all the extra stories and links available to members here. It’s basically an unabridged version of the newsletter for members.

This week’s topics: Meltdown & Spectre, India’s Database, Criminals and Monero, Equifax Non-action, technology news, human news, discovery, notes, recommendations, and the aphorism of the week…

Listen to this week’s Podcast

Read this week’s Newsletter

Become a Member to Get This Week’s Supplemental Content

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

You'll like the typography better at A Visual of the U.S. Generations.

—

Finding information on the various U.S. generations (boomer, millennial, x, z, etc.) is non-trivial. I end up Googling 37 different sites—all of which disagree somewhat with each other—and then I eventually give up and pick a set of numbers for that particular piece—which I then forget the next time.

Plus there aren’t really (m)any good visualizations of these ranges, which are uniquely helpful for this. So I made a reference myself that I’ll use from now on and will try to keep updated.

View the full image.

The Silent Generation


Born up to 1945

Baby Boomers


Born from: 1942-1962
Current ages: 55-75

Generation X


Born from: 1963-1983
Current ages: 34-54

Millennials (GenY)


Born from: 1982-2004
Current ages: 13-35

Generation Z (iGen)


Born from: 2000-2014
Current ages: 3-17

These ranges aren’t perfect, and they aren’t fully agreed upon by experts anyway. I mostly used Wikipedia’s numbers, but also factored in a number of other sites to end up at a middle-ground.

The black bars are the disputed edges. The bolded range is what I’m calling authoritative (my own line in the sand). And the italics indicate the range of ages of people living today in that generation.

Notes


The Strauss-Howe Generational Theory is used as a source for a lot of generational estimates.
This is Wikipedia’s article on the generations in the workplace.
The biggest fallacy right now regarding generations is that most people over 30 think that everyone young is a millennial. They’re not. Millennials ended around 2004, so if someone is 12 or younger they’re actually Generation Z.
There is trouble with the transition between Millennials and Generation Z around year 2000 in that there’s lots of overlap. I’d argue too much to survive. I wouldn’t be surprised if 2000 became the actual transition point in the future, since it’s already considered mid-nineties to mid 2000’s.

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

You'll like the typography better at Summary: Fire and Fury.

—

These book summaries are designed as captures for what I’ve read, and aren’t necessarily great standalone resources for those who have not read the book. Their purpose is to ensure that I capture what I learn from any given text, so as to avoid realizing years later that I have no idea what it was about or how I benefited from it.

I bought the book Friday night and read it on Saturday. What I got from it wasn’t any particular smoking gun or revelation, like proof that Trump is a traitor or anything like that. Quite the opposite.

What I liked about it wasn’t any information or facts about events, but rather how those events took place. I like understanding personality and power dynamics in strange environments, which I would definitely consider the current White House to be.

In fact, if anything it showed me beyond a doubt what I already believed, which is that that Trump isn’t evil in the planned, Mr. Burns type of way. Instead he’s just a perpetually insecure man who fundamentally just wants people to like and respect him.

Keeping with my everyone is multiple people theory, I’m sure Trump is a nice, charming, funny guy at times. And I’m sure he’s done really nice things for people just for the sake of doing it. The problem is that he’s also extremely self-centered, vindictive, petty, and seemingly impervious to knowledge and wisdom.

Worst of all though—for being, say, an ice cream truck operator, or a school principal, or the leader of the free world—is that he appears to have the trifecta of stupidity:

Doesn’t know much.
Doesn’t know he doesn’t know much.
Doesn’t trust people who actually do know things.

It’s like Stage 4 Dunning-Kruger.

What I found much more interesting was understanding the Bannon / Kushner / Ivanka dynamics, and seeing how all these actual powerhouses and experts like Kelly and Tillerson, responded to being disrespected by an actual bonafide idiot.

It seems there was a lot of gaslighting going on. Where people were basically looking at each other constantly, wondering if they were in a Black Mirror episode, and then wondering if they were somehow misjudging him. Like maybe he was a genius and they just weren’t smart enough to see it.

I got no bias from the book. So either it was super clean in that respect or he was quite skilled in hiding it. I suspect the former, since I didn’t end up with really any conclusions other than the fact that the entire situation is a black comedy dumpster fire.

I did learn a couple of interesting things, I suppose. Like the fact that I should have seen before and felt dumb for not realizing: the other reason the Republicans are letting him stay is because he’ll sign anything they put in front of him.

I thought they were letting him stay because they needed to have a good story for why he failed, to avoid the democrats having an “I told you so” that keeps them in office until 2030.

But it’s more tactical than that. He’s a signature pen for them, and they like that.

Anyway, I enjoyed it as something of an exploration of psychology. It didn’t read like a tabloid to me because it wasn’t about revelations. It was more about understanding strange human dynamics. Like watching liquids act strangely in space.

[ Find my other book summaries here. ]

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

You'll like the typography better at What is Everyone In Consumer Tech Racing Towards?.

—

I wrote The Real Internet of Things to answer the question of where all this consumer tech was eventually going to lead us. I think I mostly captured it there, but wanted to summarize here.

I’m not sure where Microsoft is in this, and neither is anyone else.

Right now we basically have Apple and Google fighting for supremacy in the most important domain, which is the human operating system. Right now that means mobile, because mobile devices are the closest thing we have to being part of you. This is why Facebook and Amazon are outsiders to some degree—they don’t have a mobile OS. But Amazon is so scrappy that they are forcing their way in via the home with Alexa.

The way I’d say this in kind of an Appley way, is that all these companies are fighting to become your lifeOS.

Now a lot of people in various product marketing teams and in the media talk around this point. Obviously everyone is trying to help manage your life in various ways. Obviously everyone is offering calendar, search, voice activation, home automation, etc.

But I feel like nobody is just coming out and saying what the end-goal is, which is life management.

And what are our lives made up of? Broadly, it’s work and personal. But even that line is too deep in the details to see the longterm goal here.

All these platforms are fighting to be the single source of truth for your life. And not in a bad way, like many in InfoSec think. It’s just the ultimate business goal in terms of customer satisfaction.

Managing multiple vendors is a mess. Multiple logins. Multiple accounts. Outlook for this, using Microsoft. Android for this, using Google credentials. Apple for this, using iCloud. Smarthome this. Smart car that.

It’s rubbish.

In 2030 or so, people will have chosen a single lifeOS to use, and who knows how many there will be, but let’s say three good ones and 10 more fighting to be in the top three.

When you wake up, you’ll be greeted by your personal assistant. It will know your entire schedule, where you need to be, when, and it’ll be working every moment to optimize your day.

If you work in an office, you’ll be driven there by a vehicle that was ordered for you. At work you won’t have to log in to much because most auth will be composite authentication using many factors that your lifeOS has been reading the whole time you’ve been awake.

It knows how to get your work stuff, your work emails, internal documents, etc. It knows how to contact your colleagues. How to do voice or video conferences with them, send messages of various types, etc.

The key point here is seamless. Management of all this is done by your lifeOS in conjunction with the security subsystems at work—which of course are compatible with your choice of operating system.

When your husband or wife calls, your assistant tells you, or sends them to leave a message if it sees you’re busy. If your husband can update your calendar, when he adds something it’ll show in your work calendar as well because it’ll mostly be contexts that you see, with multiple feeds coming in from different sources.

Key features here are single interfaces (mostly your digital assistant), integration of the various parts of your life, and extremely low friction.

Browsing websites, seeing your personal data on those sites, making purchases, etc.—all handled transparently by the authentication

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!

To benefit from the work I put into my typography, read natively at: A Null Pointer Dereference Primer.

—

Most of my technical primers are…well, technical. This one won’t be because the problem is confusion rather than complexity.

I’ve been in software security for over a decade, and nearly every tester or developer I’ve asked about this topic thinks Null Pointer Dereference Vulnerabilities mean one of two things:

Someone tried to delete (dereference) a pointer while it pointed to NULL, or…
Failure to clean up (dereference) NULL pointers.

In both cases, the mistake is made because they think dereference means to delete something, which it does not. In programming parlance, dereferencing means getting the value for something—a.k.a., reading it.

In other words, a Null Pointer Dereference Vulnerability just means reading a NULL pointer.

That’s it.

It’s not about deleting references, or leaving references lying around, or cleaning up NULL pointers, or any of that stuff. Computers just hate trying to extract the value for things that don’t exist. And I can’t say I blame them.

Hope this helps someone.

Notes


This is a fantastic explanation of pointers on Stack Overflow.
Thanks to Jason Powell for talking through this, championing the cause, and reminding me that this primer still needed to be written.

—

I spend 5-20 hours a week collecting and curating content for the site. If you're the generous type and can afford fancy coffee whenever you want, please consider becoming a member at just $10/month.

Begin Membership

Stay curious,

Daniel

To benefit from the work I put into my typography, read natively at: A Simple Explanation of the Differences Between Meltdown and Spectre.

—

[image error]

Many people have pinged me asking for a dead-simple explanation of the differences (and similarities) between these two attacks. Here’s an extremely basic summary:

The mitigation story will continue to evolve as time passes, and will include hardware and firmware updates eventually.

Meltdown is Intel-only and takes advantage of a privilege escalation flaw allowing kernel memory access from user space, meaning any secret a computer is protecting (even in the kernel) is available to any user able to execute programs on the system.
Spectre applies to Intel, ARM, and AMD processors and works by tricking processors into executing instructions they should not have, granting access to sensitive information in other applications’ memory space.

There are software patches for both Meltdown and Spectre, but they’re more straightforward for Meltdown.

I say “multiple users” here as a reference to entities who might attack one another. You can actually use these attacks to read content from any application even if you only have a single user.

The major risk consideration here is whether you have multiple users sharing a single CPU.

This means regular systems with multiple accounts, virtualization environments, and cloud. Your risk will be different depending on the hardware platforms used, the operating systems running on those platforms, and your various patch levels at any given time, but the basic concept for these two attacks is that you should consider secrets to be attackable on multi-user systems that share a CPU.

In short, both Meltdown and Spectre allow low-privilege users to read sensitive information from memory on the same system via Speculative Execution. The difference is that Meltdown takes advantage of a specific Intel privilege escalation issue to do this, while Spectre uses the combination of Speculative Execution and Branch Prediction. Both issues can be addressed with software patches, but this is more effective for Meltdown than Spectre.

Notes


The Meltdown Paper.
The Spectre Paper.
If you see any flaws in this simplification, please let me know so that I can correct them.

—

I spend 5-20 hours a week collecting and curating content for the site. If you're the generous type and can afford fancy coffee whenever you want, please consider becoming a member at just $10/month.

Begin Membership

Stay curious,

Daniel

To benefit from the work I put into my typography, read natively at: Unsupervised Learning: No. 106.

—

This post contains the supplemental content for this week’s episode of Unsupervised Learning. Some people prefer fewer stories in each show while others prefer more, so I’ve solved that problem by keeping the main show tightly curated and making all the extra stories and links available to members here. It’s basically an unabridged version of the newsletter for members.

This week’s topics: Swatting death, Ethereum kidnap, Chinese dystopia, Alteryx S3 bucket, Starbucks Monero, Forever21, Microphone ads, technology news, human news, discovery, notes, recommendations, and the aphorism of the week…

Listen to this week’s Podcast


Read this week’s Newsletter


Become a Member to Get This Week’s Supplemental Content

—

I spend 5-20 hours a week collecting and curating content for the site. If you're the generous type and can afford fancy coffee whenever you want, please consider becoming a member at just $10/month.

Begin Membership

Stay curious,

Daniel

To benefit from the work I put into my typography, read natively at: Raw Water is the Latest Example of Lupus Liberalism.

—

High-profile Bay Area denizens are skipping tap water in favor of drinking unfiltered, untreated, and expensive “raw” water that comes straight out of the ground, Nellie Bowles reports for The New York Times.

Source: ‘Raw water’ is a pseudo-scientific craze that could make you sick – The Verge

The first time I wrote about Lupus Liberalism was in reference to over-aggressive political correctness, but this Raw Water craze is more akin to the anti-vaxer movement where the theme is ignoring science at your own peril. The general theme is still intact, though.

Lupus Liberalism is any situation where you go so left that your leftness starts doing damage.

I think the best (and actually the only) solution to this is to let it play out. Lots of people will embrace the movement, which will get lots of people sick.

I couldn’t help but smile a little when thinking about someone in the hospital, on an IV line, and screaming when they find out there’s medicine in the medicine they’re getting.

This isn’t free-range medicine? This is like, created somewhere?

Afraid so, friend.

Science, medicine, and germ theory—as it turns out—never roamed the African plains in all their natural glory before humans showed up. We had to conjure them into being using the quite “not found in nature” techniques of the scientific method, sterilization, and other extremely artificial concepts like that.

There’s actually nothing more natural than dying at 23 from a tooth infection.

That should be the next craze, really, getting rid of anesthesia and anti-biotics. We’ll call it the Grin and Bear movement.

So if you have a cavity that is going to kill you, you have a Quinoa salad, your kid (let’s call him Measles, since he’s not vaccinated) will hand you a twine stress ball, and the local shaman (doctors are lame) will rip the tooth from your skull using a hand-forged iron plier sanitized in Raw Water.

Sometimes evolution’s pendulum over-swings when trying out new things, and all these examples (raw water, antivax, etc.) are cases in point for good ideas taken too far.

Nature will punish those who take the bait.

—

I spend 5-20 hours a week collecting and curating content for the site. If you're the generous type and can afford fancy coffee whenever you want, please consider becoming a member at just $10/month.

Begin Membership

Stay curious,

Daniel

To benefit from the work I put into my typography, read natively at: My Thoughts on the Flu Shot.

—

Ok, enough people have asked me about this that I’ll answer here. And please know that I’m not a doctor, a flu specialist, or any kind of medical professional. This is just my own line of reasoning.

So, I accept the science that you can’t get the flu from the shot, but anecdotally I’ve gotten sick almost every time I’ve gotten it.

I understand that I didn’t get the flu each time (you’d know if you had the flu, because you’d feel like you were dead), but I still got sick.

Basically every time.

So when I hear that it’s not very effective at stopping the Flu, and I never really get the flu anyway, I have to ask whether I want to almost definitely get sick (from something else) in order to lower my chances of getting the actual flu by some percentage.

I think the answer might usually be no, but perhaps this year might be a yes since it seems so bad.

Again, I would actually have to model this out to know for sure.

I’d factor in how bad it sucks to be the not-flu-sick, with a likelihood, and assign a risk score to that. And then I’d take the chances of avoiding getting the flu if I get the shot, and factor in how bad it’d be to get it, and then I’d produce a YES/NO answer.

But I don’t have that data, or even enough to guess at it.

So for now I’m going to skip it, but with an open mind on whether I should change my position. And if you’re an expert in this area, and/or have a model like this populated with data, I’d love to hear about it.

—

I spend 5-20 hours a week collecting and curating content for the site. If you're the generous type and can afford fancy coffee whenever you want, please consider becoming a member at just $10/month.

Begin Membership

Stay curious,

Daniel

You'll like the typography better at It’s Wrong to Fearmonger on IoT Security.

—

Bruce Schneier on Amazon (Emphasis Mine)

In this blog post, Bruce Schneier is adding to what I’ve been complaining about for a while now in InfoSec—a massive tone of fear and panic around IoT technology and its interaction with humans.

Listen to the audio version of this essay.

“Everyone wants to control your life.”

“I fear it’s going to get a lot worse.”

Please stop.

I know it’s super cool to scream about how IoT is insecure, how it’s dumb to hook up everyday objects like houses and cars and locks to the internet, how bad things can get, and I know it’s fun to be invited to talk about how everything is doom and gloom.

I absolutely respect Bruce Schneier a lot for what he’s contributed to InfoSec, which makes me that much more disappointed with this kind of position from him.

InfoSec is full of those people, and it’s beneath people like Bruce to add their voices to theirs. Everyone paying attention already knows it’s going to be a soup sandwich—a carnival of horrors—a tragedy of mistakes and abuses of trust.

It’s obvious. Not interesting. Not novel. Obvious. But obvious or not, all these things are still going to happen.

When we brought electricity to millions of homes, houses burned down, and people died, but I’d argue it was worth it to have electricity in the home and business.

Fear-mongering about IoT is like looking at the first electricity coming to homes in the early 1900’s and warning everyone it’s a horrible idea because of the fire hazard.

You’re honestly objecting to assigning trust, at digital level, to various people in your family, friends, various organizations, etc? Digital management of trust is happening. Having digital assistants in our lives is happening. Having our homes, our workplaces, and our environments adapt to our presence is happening. These aren’t ideas, they’re inevitabilities.

Technology is integrating into human life on planet Earth, and there’s not anything anyone can do to stop that. And once we get out of the woods it’s going to be a massive improvement. Just like electrification was. We should obviously try to minimize the risks, but we don’t do that by trying to shout down the entire enterprise.

To characterize Amazon’s progress in smart homes as, “They want to control our lives.” is both incredibly shortsighted and irresponsible. Awesome people like Bruce (and everyone in InfoSec really) should be leading from the front by saying:

Yes folks—things are going to get nasty. The digitization of our lives through IoT will be a bumpy ride, and people will get hurt. We in InfoSec are on the front lines. We’re the technologists embracing this change first, as the inevitability that it is, and we’re doing our best to make the transition as safe as possible for you.

That is our role.

Not dog-piling on every new technology/life integration like it’s the harbinger of death that must be stopped by InfoSec. It’s not our job to stop the inevitable from happening; it’s our job to make it more safe when it does.

We should be shepherds, not obstructionists.

People complaining about fire hazards wouldn’t have stopped electrification, and people complaining about IoT isn’t going to stop that either.

People need us.

They’re bewildered and scared. So let’s start preparing them for what’s coming instead of adding to their fear and uncertainty.

We’re better than this.

—

I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month…

Begin Membership…

Thank you!