Daniel Miessler's Blog, page 114

A lot of people, including @BayoumiMoustafa writing for the Guardian, are saying it’s racist not to call the Vegas gunman a terrorist.

The argument is that if this were a black person, or a Muslim, they would have been labeled a terrorist immediately. The position is particularly specious given the amount of racism going around right now, but it’s a red herring for a very specific reason.

Too many people are confusing terrorism with violence. Most terrorism is violent, but not all violence is terrorism. Here are three major definitions of the word.

Oxford Living Dictionary


Terrorism


noun
The unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims.







Wikipedia


Terrorism


noun
The use of violence or threat of violence in the pursuit of political aims, religious, or ideological change.







U.S. Code


Terrorism


noun
Premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents.

So you don’t have terrorism just because you have violence. Terrorism is violence with a goal. If there’s no goal (and no message describing that goal) then it’s not terrorism—no matter how horrific.

The reason Muslim violence is often called terrorism is because Muslims who commit said violence often directly attribute their actions to their religious beliefs, e.g., by saying, “Allah Akbar” before or while executing bombings, stabbings, and shootings.

That’s a message (we’re doing this in the name of God). That’s a goal (we will defeat the infidels). That’s terrorism.

If the Vegas shooter had done what he did in the name of a racist movement, or anti-government, or religion, it would have been terrorism as well. Dylan Roof, for example, was absolutely a terrorist because he had a racist ideology (complete with manifesto) and his actions were in line with that ideology. But so far we have nothing of the kind from Vegas.

What was the Vegas attacker telling us? Don’t listen to country music? Don’t go to Vegas?

It so far seems that there was no message, and that means—no matter how horrible it was—it cannot be considered terrorism.

So the next time this happens, and you’re inclined to get upset because something is not being labeled terrorism when it should be—ask yourself a simple question: Was there a political goal or message being furthered by the attacker?

If not, you just have violence.

That doesn’t mean it’s less bad. It doesn’t mean we don’t look for a cause. It doesn’t mean we don’t try to prevent it from happening in the future. It just means that we don’t have to worry about others doing the same thing under the banner of an ideology.

A lot of people, including @BayoumiMoustafa writing for the Guardian, are saying it’s racist not to call the Vegas gunman a terrorist.

The argument is that if this were a black person, or a Muslim, they would have been labeled a terrorist immediately. The position is particularly specious given the amount of racism going around right now, but it’s a red herring for a very specific reason.

Too many people are confusing terrorism with violence. Most terrorism is violent, but not all violence is terrorism. Here are three major definitions of the word.

Oxford Living Dictionary


Terrorism


noun
The unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims.







Wikipedia


Terrorism


noun
The use of violence or threat of violence in the pursuit of political aims, religious, or ideological change.







U.S. Code


Terrorism


noun
Premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents.

So you don’t have terrorism just because you have violence. Terrorism is violence with a goal. If there’s no goal (and no message describing that goal) then it’s not terrorism—no matter how horrific.

The reason Muslim violence is often called terrorism is because Muslims who commit said violence often directly attribute their actions to their religious beliefs, e.g., by saying, “Allah Akbar” before or while executing bombings, stabbings, and shootings.

That’s a message (we’re doing this in the name of God). That’s a goal (we will defeat the infidels). That’s terrorism.

If the Vegas shooter had done what he did in the name of a racist movement, or anti-government, or religion, it would have been terrorism as well. Dylan Roof, for example, was absolutely a terrorist because he had a racist ideology (complete with manifesto) and his actions were in line with that ideology. But so far we have nothing of the kind from Vegas.

What was the Vegas attacker telling us? Don’t listen to country music? Don’t go to Vegas?

It so far seems that there was no message, and that means—no matter how horrible it was—it cannot be considered terrorism.

So the next time this happens, and you’re inclined to get upset because something is not being labeled terrorism when it should be—ask yourself a simple question: Was there a political goal or message being furthered by the attacker?

If not, you just have violence.

That doesn’t mean it’s less bad. It doesn’t mean we don’t look for a cause. It doesn’t mean we don’t try to prevent it from happening in the future. It just means that we don’t have to worry about others doing the same thing under the banner of an ideology.

_

If you enjoyed this, you can explore my other content, subscribe to my newsletter, and/or show support for my work.

This is a font weight

This is a font weight

This is a font weight

This is a font weight

_

If you enjoyed this, you can explore my other content, subscribe to my newsletter, and/or show support for my work.

This is episode No. 96 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 30 minute summary. The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well…

This week’s topics: Russians vs. NSA, ArcSight vs. Russia, DISQUS breach, TrendMicro vulnerability, Stamos, tech news, human news, ideas, discovery, recommendations, aphorism, and more…

Listen and subscribe via…

Read below for this episode’s show notes & newsletter, and get previous editions…

Information Security news 





Russia has evidently hacked an NSA contractor through his home computer running Kaspersky Antivirus software. The contractor evidently brought home extremely sensitive data and put it on his home system, which the Russians were able to access through some sort of backdoor in the Russian AV software. A lot of people were unimpressed when a warning recently came from the government saying not to use Kaspersky software, but now we might be seeing why. It’s important to note that, as a Russian company, it doesn’t matter if Kaspersky was compromised initially or not, since the government could simply force them to install a backdoor and keep the fact quiet. Link



DISQUS has had some sort of breach and emails and password hashes have been released. The data is in haveibeenpwned, and there’s a writeup on the blog. Same routine: change your password, and if it was shared you should change it in the other places too. But at this point none of your passwords should be shared. Link



A piece of shared vulnerable code in TrendMicro software allows for RCE on many of its products. This is the risk of using shared components: if it’s vulnerable one place it’s potentially vulnerable wherever you use it. Link



The Yahoo breach from last year actually affected all 3 billion accounts. Link



Brian Krebs has uncovered how to find someone’s salary history using someone’s SSN and DOB, which were both leaked for millions of Americans in the Equifax breach. Link



Alex Stamos continues to be a beacon of rational ethics within the infosec community, and he’s now evidently hunting down Russian influence within his entire platform. Having him in charge of security at Facebook makes me feel infinitely better about the service in general. Link



HPE evidently let Russia have access to the source code for ArcSight, so they could do a “security review”. I’m guessing that was approved long before all this Facebook and Kaspersky stuff happened, and they now regret it. Link



Google is releasing a separate security bulletin going forward just for Pixel/Nexus devices. Link



Patching: WordPress, Android, DNSmasq





Technology news 





Google has released updated Pixel devices, an updated Google Home device, and Pixel Buds, an earphone competitor of AirPods that can do realtime translation of multiple languages. Link



Netflix is raising the cost of two of its plans—the Premium plan that gives you 4K and four streams is moving from $11.99 to $13.99, and the mid-tier plan is going from $9.99 to $10.99. Link



DJI has launched a privacy mode for its drones so that they can be used in sensitive environments. The setting will stop drones from sending or receiving any data over the internet while in that mode. Link





Human news 





It appears that livestock is an even bigger part of climate change than man thought it was. New studies sponsored by NASA have shown that increases in methane gas from livestock could be contributing massively to greenhouse gases that are trapping heat. So, man-made in the sense that we keep growing more livestock to feed our meat habit, but nature-made in the sense that it came from an animal. It’s an interesting development in the discussion for sure. Link



Teenagers are chronically sleep-deprived, and early school start times are a major factor. Link



Exercise has been confirmed (once again) as the end-all-be-all solution for both mental and physical health. This article describes new recommendations of exercise duration and type for different age groups. Link



In 2017 we didn’t go more than 5 days without a mass-shooting. Link





Ideas 





The Reason Business Doesn’t Take InfoSec Seriously Link



The Difference Between Violence and Terrorism Link



Stop Calling It Identity Theft Link



I realized the other day that I’d be ok with putting an Apple or Amazon assistant device in my home (like Alexa or a HomePod), but not similar devices from Google or Facebook. The reason for this is simple: with Apple and Amazon, they want to make your life better and sell you products. With Google and Facebook they want to extract more and more information from you, because your information IS THE PRODUCT. That difference is why I could not, at this time, put one of their devices in my home. Link



Expect in-person identity validation services to become a lot more popular. When everyone’s data is compromised I think it’s going to be a lot more common for major transactions to require that an actual notary validate your identity. So expect becoming a notary to become a lot more popular, as well as notary fraud. 





Discovery 





Remarkable visualizations of how American’s are divided based on issue vs. voting. Link



The Origin and History of UNIX Link



A visualization of the commonality of your birthday. Looks like the big birthdays are from conception dates in the holidays. Link



Entropy explained using sheep. Link



The Cognitive Bias Codex Link



Hackernewsbooks — A clean display of books mentioned on Hacker News. Link



Awesome AI Security — A project dedicated to adversarial examples against AI. Link



pcap2curl — read a packet capture, extract the URLs, and replay them using curl. Link





Notes 





Thanks so much for the feedback on the length of the show. I got almost equal feedback saying it should be longer or shorter. The open and click metrics were a bit higher for the shorter show, which tells me that the format was more consumable for people. I wonder if the newsletter should be shorter, but the podcast should be longer, as one main piece of feedback I get is enjoying when I give more opinion and personality on the podcast. So perhaps I could take one or two of the concepts from the ideas section and go into more detail there for the podcast, but still keep the newsletter nice and trim.





Recommendations

 



If you run Kaspersky software anywhere, consider replacing it with something else.





Aphorism





“If you try, you risk failure. If you don’t, you ensure it.” ~ Anonymous

You can also sign up below to receive this newsletter—which is the podcast’s show notes—every week as an email, and click here to get previous editions.

Newsletter

Every Sunday I put out a curated list of the most interesting stories in infosec, technology, and humans.

I do the research, you get the benefits. Over 10K subscribers.

And if you enjoy this content, please consider supporting the site, the podcast, and/or the newsletter below.

Thanks for listening. I’ll see you next week.

_

If you enjoyed this, you can explore my other content, subscribe to my newsletter, and/or show support for my work.

I recently learned the origin of the world “school”, and was reminded of the origin of the word “company”.

We know school as a place to train for future life—to learn things—and if you’d asked me what its origin was I’m sure I would have said something like, ‘to learn’.

It’s not.

School comes from Greek, and it’s meaning was “leisure”. I find this highly ironic since so many high-end education systems are focused on ensuring that kids sleep longer and have more fun while learning.

Then you have the word company, meaning a place that you go to work. It comes from old French back around 1100, and it meant a military unit. Then it later became a word for people you spend time with and eat with. And of course companies have officers and secretaries, just like a government or military.

So it’s strange. School is a crappy place to go and learn a bunch of boring things, and its original meaning was leisure. And company is a place to make a living, but it comes from a military unit designed to work together in defeating an enemy.

They make a lot more sense when you think about the original forms.

_

If you enjoyed this, you can explore my other content, subscribe to my newsletter, and/or show support for my work.

I saw a thread recently where someone was complaining about Dave Kennedy making a hilarious inside joke on CNN without any of the participants knowing. Evidently people on Twitter said this is why InfoSec isn’t taken seriously.

Then someone else showed up with this reply, which prompted my response.

The reason infosec is not taken seriously is because we can’t map risk to money.

Until then we’re scary magicians with attitudes.

— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) October 8, 2017

The reason information security is not taken seriously by the board room and other senior executives is because we cannot translate risk into financial terms.

Yes, being hacked is being taken seriously. And they’re certainly ready to throw some money at the problem in order to fix it (or look like they’re trying). But this isn’t the same thing as respect.

Most industries are about to talk about ROI. Sales, marketing, etc. You have a certain amount of spend, and you get a certain amount of return.

That’s missing in information security, and until that changes we’re going to be considered dirty mages with arcane powers.

They’ll keep us around, of course, but we don’t get to eat with them. Our kids can’t date their kids. Etc. It’s not real business because it’s not based on arithmetic.

So, yeah, we have a bad reputation for being mischievous and such, but that’s not what’s hurting us. Our real obstacle is our inability to have adult conversations about return on investment.

Until then we get to eat at the kids table.

_

If you enjoyed this, you can explore my other content, subscribe to my newsletter, and/or show support for my work.

A lot of people, including @BayoumiMoustafa writing for the Guardian, are saying it’s racist not to call the Vegas gunman a terrorist.

The argument is that if this were a black person, or a Muslim, they would have been labeled a terrorist immediately. The position is particularly specious given the amount of racism going around right now, but it’s a red herring for a very specific reason.

Too many people are confusing terrorism with violence. Most terrorism is violent, but not all violence is terrorism. Here are three major definitions of the word.

Oxford Living Dictionary


Terrorism


noun
The unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims.







Wikipedia


Terrorism


noun
The use of violence or threat of violence in the pursuit of political aims, religious, or ideological change.







U.S. Code


Terrorism


noun
Premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents.

So you don’t have terrorism just because you have violence. Terrorism is violence with a goal. If there’s no goal (and no message describing that goal) then it’s not terrorism—no matter how horrific.

The reason Muslim violence is often called terrorism is because Muslims who commit said violence often directly attribute their actions to their religious beliefs, e.g., by saying, “Allah Akbar” before or while executing bombings, stabbings, and shootings.

That’s a message (we’re doing this in the name of God). That’s a goal (we will defeat the infidels). That’s terrorism.

If the Vegas shooter had done what he did in the name of a racist movement, or anti-government, or religion, it would have been terrorism as well. Dylan Roof, for example, was absolutely a terrorist because he had a racist ideology (complete with manifesto) and his actions were in line with that ideology. But so far we have nothing of the kind from Vegas.

What was the Vegas attacker telling us? Don’t listen to country music? Don’t go to Vegas?

It so far seems that there was no message, and that means—no matter how horrible it was—it cannot be considered terrorism.

So the next time this happens, and you’re inclined to get upset because something is not being labeled terrorism when it should be—ask yourself a simple question: Was there a political goal or message being furthered by the attacker?

If not, you just have violence.

That doesn’t mean it’s less bad. It doesn’t mean we don’t look for a cause. It doesn’t mean we don’t try to prevent it from happening in the future. It just means that we don’t have to worry about others doing the same thing under the banner of an ideology.

_

If you enjoyed this, you can explore my other content, subscribe to my newsletter, and/or show support for my work.

This is an example page. It’s different from a blog post because it will stay in one place and will show up in your site navigation (in most themes). Most people start with an About page that introduces them to potential site visitors. It might say something like this:

Hi there! I’m a bike messenger by day, aspiring actor by night, and this is my website. I live in Los Angeles, have a great dog named Jack, and I like piña coladas. (And gettin’ caught in the rain.)

…or something like this:

The XYZ Doohickey Company was founded in 1971, and has been providing quality doohickeys to the public ever since. Located in Gotham City, XYZ employs over 2,000 people and does all kinds of awesome things for the Gotham community.

As a new WordPress user, you should go to your dashboard to delete this page and create new pages for your content. Have fun!

_

If you enjoyed this, you can explore my other content, subscribe to my newsletter, and/or show support for my work.

This is episode No. 95 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 30 minute summary. The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well…

This week’s topics: IE leak, Whole Foods, Sonic, Apple Open-sources Kernels, Equifax $15 million retirement, tech news, human news, ideas, discovery, recommendations, aphorism, and more…

Listen and subscribe via…

Read below for this episode’s show notes & newsletter, and get previous editions…

Information Security news 





An Internet Explorer bug leaks what you type in the address bar. Link



Whole Foods had a breach of credit card data captured at some of its taprooms and full table-service restaurants. The main store’s POS systems were not affected. Link



Sonic has had a breach of credit card data affecting an unknown number of store payment systems. Millions of customer credit cards are now being sold online as a result of the breach. Link



Apple has open-sourced the kernel code used in macOS and iOS, which is called XNU. Link



The Equifax CEO has retired with $15 million after 143 million people were affected in his company’s data breach. $15 million. For doing the exact opposite of succeeding. Link



Patching: Netgear





Technology news 





Amazon released new hardware, including a new alarm clock form of an Echo, as well as updated Echo models. Link



Amazon is working on smart glasses with Alexa built in. Link



Music streaming revenue is up 48% so far this year because of services like Spotify and Apple Music. Link



IKEA has purchased TaskRabbit, but it will continue to operate independently. Link



IBM now has more employees in India than in the U.S. Link





Human news 





A 64-year-old man killed at least 58 people, and injured over 500, while shooting out of a window in the Mandalay Bay hotel in Las Vegas. He used automatic weapons to open fire on a crowd of 20,000 people down below who were attending a concert. I’ve written a short essay about what I believe to be the cause of these events. Link



A quarter of part-time college professors are on public assistance, and some are getting desperate in their attempts to make a living. Link



IQ scores have been falling for decades, and scientists aren’t sure why. Link



Elon Musk announced dramatic new plans for intra-Earth space travel as well as missions to Mars. Link





Ideas 





The Invisible Line Between Order and Chaos Link



Why Biometric Data Breaches Won’t Require You to Change Your Body Link



Three Distinct Benefits of Reading Link





Discovery 





The Everything Bubble. Link



The pocket guide to Essential Startup Advice, by YCombinator. Link



An interesting discussion of TLS Session Tickets. Link



Information Theory of Deep Learning Link



The top 20 tech companies by revenue per employee. Link



Geekbooks — A subscription to top technical books. Link





Notes 





I just finished Essentialism, and it’s definitely one of my top 10 productivity books of all time. Link



I’m experimenting this week with a much shorter podcast & newsletter, just to see how people like it. It’s a tradeoff between being thorough but taking a long time to consume, and being concise but not having as much content. Let me know what you guys think about the balance.





Recommendations

 



Read Essentialism and incorporate its concepts into your life. One of the best books I’ve ever read on being effective in everything you do. Link





Aphorism



“We can be absolutely certain only about things we don’t understand.” ~ Eric Hoffer

You can also sign up below to receive this newsletter—which is the podcast’s show notes—every week as an email, and click here to get previous editions.

Newsletter

Every Sunday I put out a curated list of the most interesting stories in infosec, technology, and humans.

I do the research, you get the benefits. Over 10K subscribers.

And if you enjoy this content, please consider supporting the site, the podcast, and/or the newsletter below.

Monthly Support

A subscription is the most helpful way to help me continue making content.

Supporter - $5 / monthMember - $25 / monthPartner - $50 / monthPatron - $100 / monthOther amount

$

Subscribe

One-Time Support

You can also make a one-time contribution of any amount.

$

Send

Thanks for listening. I’ll see you next week.

_

If you enjoyed this, you can explore my other content, subscribe to my newsletter, and/or show support for my work.

image from slate

The Las Vegas shooting yesterday forced me to write about something I’ve been thinking about for years.

It seems entirely too easy to produce chaos in a large society. And in fact if you told me that millions of people would put themselves in metal boxes and fly down a street at nearly 100mph, separated only by their own attention, I’d have told you it would have never worked.

Why? Because it’s too easy for someone to disrupt.

Someone could easily just swerve into oncoming traffic. Someone can cut a giant hole in the ground and cover it with black paper so people drive into the hole at high speed. People could drop bowling balls from overpasses and skyscrapers and high-rise hotels and kill the people down below.

And with this incident we see that you can also just break out the glass in a giant hotel and shoot down at tens of thousands of people, with automatic weapons that you just brought through the front door.

So if I were to design a society, or be consulted on a society, I would say that you can’t have these vulnerabilities. But the problem is that you need those vulnerabilities for the society to be usable.

And there’s another problem with saying that you can’t build roads like this, or skyscrapers like this, or overpasses, or hotel windows—in the vast majority of cases, they do work exactly as designed.

So even though millions of people can easily abuse these design flaws (or tradeoffs), for some reason they don’t. And that’s the invisible line I’m talking about. This is the most important defense in all of society.

In short, the reason more people don’t do this is because it’s, well, non-conventional. It’s improper. It’s unthinkable. It’s just not something that you do.

This is an unbelievably powerful force that makes an open society possible.

There are a few things that keep this force working, and a few things that diminish it.

Convention is a powerful factor. If nobody has done a particular attack before you, and you know it’s not proper or allowed or morally sound, it’s a lot harder to do it for most people. The fact that it’s never been done before is a defense in itself.
Mental Health is another factor. People who are mentally healthy are able to honor society’s rules and don’t have overwhelming forces pushing them to break those norms.
Religion is another powerful element that can overpower a society’s conventions. If God says something and convention says another, God might win that argument. And if the command is to kill, it just might happen if the belief is strong enough.
Ideology is broader than Religion but has the same characteristics. If you believe that a certain race should be exterminated, or that another race is superior, or that technology is evil and that people who promote it should be removed from the equation—these are all strong beliefs that could inspire action that counters the natural invisible force that protects society.

The problem today seems to be that a number of these are eroding at the same time.

More and more people are doing crazy, destructive things that then open the door for copycats.
We’re losing a meaning and happiness infrastructure that kept people focused on work and family and following the rules, and people are becoming unstable as a result.
And various ideologies—religious and otherwise—are becoming strong enough to convince people to harm others in opposition to the rules of society.

The key point is that it’s effortless to step over this line. It’s easy to harm people en masse in an open society. Extraordinarily easy. All you have to do is realize it’s possible, and have enough of a reason.

And the more we strip away the ephemeral and convention-based reasons not to, the more danger we’ll be in.

_

If you enjoyed this, you can explore my other content, subscribe to my newsletter, and/or show support for my work.

image by tanya antre

I read a lot, and I sometimes struggle to find ways to articulate how useful it is, and how much it’s improved my life. After…well…reading more on the topic, I think I’ve settled on three distinct benefits.

Reading updates your mental models. Reading doesn’t just give you a series of facts that you can later recall. It’s also teaching you about the world the same way that experience does. Except with reading you’re getting multiple lifetimes of experience. That experience teaches your mental models of how the world works and subconsciously shapes your decision-making. It basically makes you smarter in a way that you cannot put your finger on because it’s baked into how you see the world.
Reading gives you new perspectives. Reading can give you a completely different understanding, at a conscious and emotional level, of how an event took place, or of the difficulties of an individual or group. These conscious ties to history or people give you a different way of understanding those things, and that additional perspective can give you tremendous advantage.
Reading is euphoric. Not only does reading provide you conscious and subconscious advantages at the intellectual and emotional perspective levels, but it can also serve as one of—if not your primary—means of entertainment. There are more worlds available in books than anywhere else, and becoming an avid reader opens those worlds for you to explore. Once you are practiced at reading, which won’t take long, you can be at peace and having the best time of your life, completely alone in the quiet.


Summary


Extraordinary enjoyment can come from exploring other worlds, all of which can be had, by yourself, in the peace of solitude.
Perspective changes give you conscious emotional connections to things that allow you to see situations from different angles.
Mental model updates subconsciously shape and improve your intelligence by baking in lifetimes of experience into your own judgement.

_

If you enjoyed this, you can explore my other content, subscribe to my newsletter, and/or show support for my work.