Daniel Miessler's Blog, page 119

If you’ve not seen it yet, there’s a meme going around saying DEFCON is cancelled. It seemed to be purely a good fun troll, but it’s been gaining in popularity over the last couple of weeks.

Then this morning I found what appears to be the official meme manifesto, and it made me wince a bit. Kind of like something good that’s slightly turned.

Let me try to explain.

First, I think the piece is trying to do multiple things at the same time.

I think it’s trying to be funny, which it is.
It’s trying to troll some noobs, which it does.
And finally, it’s trying to say some serious things about the industry, which is where I think it lands squarely in the Uncanny Valley.

The Uncanny Valley is where something like a CG character is almost perfect but is off just enough to cause alarm (see Tom Hanks above). And, importantly, if it were less perfect—in a movie the character would be more cartoony, and in a piece of satire it would be more obviously so—it would be accepted without issue. But because it sits right on the line it causes unease. And that’s precisely the sensation I got.

A few points from the text:

I believe that we are in a post-hacker world. We still need innovative security researchers but we need professionals. We need to shed the “hacker” persona that is denigrating us. We should strive to be professionals, making the Internet a safer place rather than exposing vulnerabilities that can be leveraged by criminals and terrorists.

This one is a clear attack on those who think it’s immature to pursue true research and disclose vulnerabilities, and I absolutely agree with the point. There are nuances of course, but in general this is not something that the community benefits by giving up.

It is my belief that attendance at amateur conferences such as ShmooCon, Summercom, Toorcon, HOPE and even CCC will soon begin to dwindle. As current attendees mature they will become the next generation of security professionals, not hackers. What I’ve said is probably disturbing to some of you, but it is our current reality.

This is also a solid and deeply cutting point, saying that too many professional types have lost the curiosity and true hacker nature.

Professionals have professional credentials. If you want to participate in the security industry, you should obtain the appropriate certifications. ISC2, SANS, EC-Council and many vendors offer well regarded security certifications.

This one is a bit ‘on the nose’, but entertaining.

The next two sections are where I started feeling the Spidey Sense go off. On the national security topic I get the point of opposing blind trust in the government, but I worry it’s hinting at the position that anything under the guise of NATSEC is bad. That’s unhelpful.

Then it talks about privacy, and makes fun of the notion that nothing should be considered private. This is a hard one because I agree with the straw man that they’re knocking over, which is the “if you’ve got nothing to hide” argument. 100% agree.

But I also think privacy is going away, and that it is inevitable. This is because of the future of technology, data exchange, society, etc.—not because christian republicans are awesome, and ‘Merica. They’re two separate forces. I oppose one, and I believe the other to be inevitable. The piece conflates these two in an overly simplistic way.

Then we get this vibe as well. It’s actually all throughout the piece, but it’s most pronounced here.

I plan on writing a book covering many topics during my growth form a hacker to a security professional. Feel free to approach me at Black Hat or other conferences to discuss these issues.

The “professional” bashing is the weakest part of the piece, and it’s what produced the Uncanny Valley feel for me.

It’s basically taking real, solid points, making them well and in a funny way, and then at the same time bashing hackers and/or wannabes who are transitioning to being professionals.

This is non-binary.

There are many hackers who become security professionals
There are many non-hackers who pretend to be hackers and then become security professionals
There are many non-hackers who don’t pretend to be hackers and become security professionals
There are many noobs who are neither, and who are trying to become one or both

I don’t get the professional hate, or the conflation of complex topics. It’s not useful.

National security is a thing, and it needs good security people to help.
You can’t blindly trust the government, because ‘Merica.
You can’t give up privacy because some Republican told you you’re a criminal if you don’t.
It’s ok to be a wild hacker in your younger years and then become a professional later in life.
Becoming a professional doesn’t have to mean compromising your values.

If these are in conflict for you it’s because you see the world too simplistically. The world is messy, and it requires nuanced and constant re-evalutation to navigate practicality while remaining true to core principals you believe in.

I wish things were as simple as this manifesto makes them out to be. It was easier for me when they were. But that’s the Fox News approach. It’s compartmentalizing everything into neat boxes so that you know who’s a real hacker, who’s a sell-out, that the government is bad, etc.

I get it. It’s clean. But reality isn’t clean. And true hackers figure out how to be good, in a dirty world, as a professional.

I agree with 90% of what’s being said here, and trolling noobs should never go out of style, but we shouldn’t pretend that the world is simple, because it isn’t.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

How to Build a Successful Information Security Career
A Guide to Information Security Certifications
The Difference Between a Programmer, a Hacker, and a Developer
Information Security Concepts
Web Application Security Testing Resources

Brazil just opened 860,000 acres of the Amazon rain forest to pilfering by big corporations. It’s been happening for a long time, but the speed has dramatically increased in recent years.

This will be unpopular, but the Amazon is not a national treasure that Brazil has the right to destroy. It’s not like we in the U.S. decided to destroy Mount Rushmore because we want the rock. There’s plenty of rock elsewhere in the world.

Not so with the rain forest. It’s a finite resource, and it’s being pissed away because Brazil is poverty stricken.

To me this is like a 6-year-old agreeing to burn the only cure for cancer (that he found in his backyard) for $10 so he can buy a Coca-cola and a family size bag of M&Ms.

Yes, I’m aware of how horrible that sounds.

I see both extremes. One is that you can’t just walk into a sovereign country and tell them how to treat their natural resources ever time you disagree with their policies. Especially not if you’re the U.S., which is basically the primary imperial power in the world today, and a country that uses (and wastes) massive amounts of natural resources itself.

The other extreme is that you don’t want to sit and watch the cure for cancer (an apt analogy, as it turns out) disappear on the account of political correctness or political sensitivities.

The Amazon is a literal source of hundreds of our medicines, and the more we lose of it the more new medical breakthroughs will be delayed or never discovered at all.

That’s not a Brazil problem. That’s a humanity problem.

So the question is, since we know you can’t just be the U.S. and tell them to stop, and we also can’t sit back and watch them destroy a global treasure because they are poor…when do we step in?

And who is “we”?

I think it really needs to be the world, not just the U.S., or Europe, or whoever. It’s got to be a large group that represents the world. The U.N. or something.

Maybe they need to buy it to preserve it. And maybe that technique should be used in other countries as well. The U.S. is killing off the only supply of something? The U.N. buys it and prohibits its destruction. And so on.

All I know for sure is that both extremes are bad. Interdiction reeks of imperialism, especially if it comes from the U.S. or Europe. And non-action is impotence and cowardice at a criminal scale.

sound of saws buzzing and the clock ticking

Notes


Image from Getty.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Cancer is an Age Problem
My Response to Sam Harris vs. Very Bad Wizards on Free Will
An Evil Speech Obama Gave to Kids
The World Needs a Federation
Concepts

A lot of people—me included—are excited about the concept of Universal Basic Income. This is the idea of eliminating all or most of the need for someone to struggle to survive, thus giving them time to dedicate to higher-level efforts like art, science, etc.

A basic example would be someone who wishes they could be a painter, or a musician, or an architect, but they can’t afford to go to school or to practice their art because of their main bills. Basic Income would provide an amount of money for free to them, and every other citizen, so that they didn’t have to worry about basic housing and food costs, so that they were free to pursue their passions.

The consensus among many experts is that this isn’t just a nice idea, but that it’s about to be essential. The problem is that there are too many people and the jobs are getting automated away. So we need to be able to create value in ways other than performing basic tasks like transporting things from a to be, or doing basic management tasks that can be done better by computers.

Here’s the problem in the simplest form:

More and more people.
Fewer and fewer jobs.

Something has to give.

Basic Income is just one approach, but it seems most realistic of the numerous bad options. And even with Basic Income this doesn’t solve the issue completely. You still have other questions to answer:

Where is the money coming from if fewer and fewer people are creating value, and the amount of Basic Income required keeps going up?
How can we be sure that those receiving the Basic Income will use their spare cycles to create new value?
Can we be sure that new types of jobs will be created once computers and automation take most existing ones? It’s not guaranteed to go down the same way it did in previous industrial revolutions.


The numbers game

One thing that always troubled me about Basic Income is the numbers.

Some percentage of the population will use the income to simply do nothing, and then to reproduce. Another percentage of the population will create a lot of new value and also reproduce. And another group will create value and not reproduce.

But what percentages will be in each? It matters a lot.

If we have some mixes we get a new economy based on new value, and life is good. And if we have another mix the system will implode under its own weight.

But let’s say that we’re watching it become bottom-heavy and untenable. And the issue is too many people reproducing and not producing value.

What do you do?

That is the single most important question around Basic Income in my opinion. Even more important than whether new types of value can be created or not. It’s a question of numbers. How few people can support how many, and for how long?

There are a few sliders in this equation.

Number of value producers.
Amount of new value created.
Amount of people consuming and not producing.
The speed of reproduction of each group.

Put these into a spreadsheet and mess with the numbers. I’m not qualified to do so, but I am guessing that the numbers are pretty scary at the extremes.

To me this leads to the following prediction:

Basic income will happen, simply because there’s no better alternative.
The numbers involved will inevitably lead to calls for population control.

There will be proposals to limit children of people who only have basic income, income requirements for having kids over a certain number, rating the value contributed to society for additional kids, etc.

I don’t see how this won’t happen.

Whenever you think of Basic Income, keep this in mind. It’s a great idea, but there’s a blade on the handle.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Daniel Dennett is Wrong About Free Will
An Encoding Primer
Whose Responsibility is it to Provide Jobs to People?
How to Build a Successful Information Security Career
Ideas

I’m creating an EDM album. Well, designing one. I’m creating the concept, the theme, the title, the song titles, the feel of each song, the type of music I want for each, the type of lyrics, etc.

But I’m likely going to get someone else to create the music because it’s not something I have time to learn right now.

So here’s the concept.

Album

The album is called Universal Arc, and it’s about the journey of life within this universe. Not just human life, but including human life. Any civilization, on any planet, in any galaxy, throughout the universe. The “arc” refers to the story arc, which typically goes from primordial soup, to surviving as animals, to breaking away from the animals, to becoming intellectual, to avoiding self-destruction, to escaping the solar system, and finally merging with other life forms in the universe. The endgame is to avoid the heat death of the universe as one or more super-intelligences trapped within a dying world.

The songs in the album correspond to the phases in this journey, and convey the emotions thereof. So the song titles should tell you where you are in the arc, and each song should have the feel of that phase.

Songs

The songs in the album will correspond to phases in life evolution and/or the struggles that are faced in that phase. Current song names are listed below, along with the music type and possible lyrical content or themes.

Primordial


Style: Ambient
Musical and Lyrical Themes: organization, gurgling, chaos, disorder, time, eons, millions of years, birth

Animal


Style: Drum and Bass
Musical and Lyrical Themes: animal, tribal, energy, fighting, raw, savage, killing, sex, competition

Dawn of the Intellect


Style: Ambient, Minimal, House
Musical and Lyrical Themes: positivity, rebirth, intellect, intelligence, formulas, science, logic, death of religion

Self-destruction


Style: Hardcore, Hardstyle
Musical and Lyrical Themes: death, biological warfare, meteor strikes, global warming, nuclear holocaust

Post-human


Style: Deep House, Minimal, Trance
Musical and Lyrical Themes: super-intelligence, experience is everything, virtual fantasy worlds, vr is reality, arbitrary distinctions between fantasy and reality, hedonism, identity, merging with the collective

New Home


Style: Minimal, Ambient
Musical and Lyrical Themes: search, loneliness, fear, hope, desperation, silence, deep space, missing home

Others


Style: Drum and Bass, House, Deep House
Musical and Lyrical Themes: avoiding conflict with others, finding friends, battles, merging with other super-intelligences, surviving as a collective

Entropy / Escape


Style: Ambient, Minimal, House
Musical and Lyrical Themes: sadness, slow death, eternal sleep, fade to blackness, death of the universe, silence, silence, a tiny hope, an opening, ESCAPE, a path to another universe, a new beginning
Notes: This song is in two parts. It starts off about the death of the universe, and as the song runs and fades out at around 8-10 minutes, it just stays super minimal for minutes. Then, after some time, Escape starts, and it becomes about leaving this universe through a wormhole or whatever method to find another universe to start anew.



Notes


I will have someone actually create art for this, so the image above isn’t permanent.
I appear to have already found a friend to work with on this, so I’m extremely excited. I’ll keep updating the song names and concepts as time goes on.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

The Life or Death of Harry Potter
Free Will and the Absurdist Chasm
An Atheist Debate Reference
The Two-lever Argument Against Free Will
The Grand Music Project

People are really upset that 1Password appears to be forcing users to store their password data in the cloud.

Whenever stories like this come around I get asked what I use for passwords, and since I use lots of different things I simply respond with what I believe to be a truth about tech features.

If something is good enough to spawn an entire space within applications, such as location sharing, password storage, live video streaming, etc.—expect that functionality to come to the operating systems as well.

Put another way, the operating system is where most core functionality will ultimately reside, and applications are basically testing grounds for those capabilities.

I think this is an interesting way to think about things if you’re a company looking to get into applications. You have to ask yourself:

How long will this functionality exist as an application vs. being folded into the operating systems?

I think there are exceptions to this rule, or perhaps there are types of application functionality that will simply take too long to absorb. Core applications like Facebook, Twitter, AirBnB, Reddit, etc.—these all seem pretty resistant to collapse into the OS.

But why is that?

I’m thinking in realtime here, but perhaps it’s because those are really interfaces to user-generated content, and displaying such content in new and interesting ways is something that moves too quickly to integrate into the OS.

This is in contrast to something like navigation, finding your friends, or checking the weather, where this type of functionality is part of regular, natural human workflows.

That’s perhaps not a foundational distinction. I’ll do more thinking on it.

But what does seem clear is that there are not many applications that people use on a regular basis. The idea of making an app and becoming rich is a bit strange at this point, and the reason for that is that people really only use a few applications in their day to day lives.

If people only use, say, ten applications during the course of a week (not counting the default ones in their OS), then it’s going to be extremely difficult to either bump one of those ten or become the eleventh.

Perhaps we can imagine these as 25 core workflows, which are divided between applications and the operating system. And maybe the question turns into which workflows go to apps vs. the OS.

But the key point here is that it appears to be a bit of a zero-sum game. There is a finite number of workflows that a given human will have, and that humans will have on average. And both apps and operating systems will divide these up.

So as an application developer I think it’s important to have that number of workflows and the allocation thereof as a key data point for all decisions.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Multi-dimensional Vulnerability Hierarchies
Web Application Security Testing Resources
Ideas
An ICS/SCADA Primer
An Information Security Metrics Primer

This week’s topics: The future of security testing, nuclear plant hacks, Android malware, satellite decryption, wildcard certs, military encryption, gsuite protections, WWE S3, tesla 3, jawbone, drone hacking, mental aging, millionare GPAs, discovery, recommendations, the weekly aphorism, and more…

This is Episode No. 85 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.

The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.

The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can subscribe to and get previous editions of here.

Newsletter

Every Sunday I put out a curated list of the most interesting stories in infosec, technology, and humans.

I do the research, you get the benefits. Over 10K subscribers.

The podcast and newsletter usually go out on Sundays, so you can catch up on everything early Monday morning.

I hope you enjoy it.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Unsupervised Learning: No. 78
Unsupervised Learning: No. 76
Unsupervised Learning: No. 73
Unsupervised Learning: No. 75
Unsupervised Learning: No. 71

We did a calligraphy class today, and I feel an obsession coming on.

Typography, calligraphy, writing utensils—these are pure beauty to me.

This was a short beginner course, and we’re going to sign up for the intermediate one as well, which covers things like building your own “font”, using digital tools like Adobe Procreate to practice, etc.

It’s also extraordinarily relaxing to do calligraphy.

Really enjoyed it. 13/10. Would recommend.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

How To Keep Track Of Your Book Collection
A tcpdump Tutorial and Primer with Examples
Security: Implementing A Secure And Usable Internet Password Scheme
The Relationship Between Horsepower, Torque, and Acceleration
A tar Primer

I think if Putin ran for President against Obama, and the only electorate was white, christian, middle America, Putin would win easily.

Here are some reasons.

At least Putin wouldn’t sell out America
At least Putin is a god-fearing Christian
We need strength, not weakness
We need someone who can make us respected again
Putin might be bad, but at least he’s not a communist
(or black)

These reasons would get him elected—in 2017—by millions of people in rural America.

Don’t blame candidates like Trump. They’re the symptom, not the disease. The disease is millions of dumb people who vote against their own interests, and the interests of America as a whole, due to ignorance and bigotry.

Notes


Yes, I know ignorance and bigotry are not the ONLY reasons people vote for candidates like Trump. But I’m as convinced as ever that they’re the primary reasons.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

If You Believe Nothing You Can Be Convinced of Anything
My Attempt to Explain Why People Voted for Trump
How I Became an Atheist
An Atheist Debate Reference
The Bible is Fiction: A Collection Of Evidence

There are three things that industries ravaged by ransomware tend to have in common.

They have data that is sensitive enough to be protected.
The industry lacks mature defenses.
Someone in the victim ecosystem is willing and able to pay.

Where we’ve seen this so far are places like:

Hospitals
Schools
Small businesses
Home users (to a lesser extent)

But if you look at those criteria I think you can predict new places that will be targeted in the future. One I think is ripe for it is:

Law firms

Think about the data they have. Think about how much effort they’re spending on security. And think about how much money they have to pay ransom.

It’s the perfect mixture.

What other industries should we be watching out for and getting ready to protect?

Notes


This also applies to Extortionware, if that ever becomes a thing.
Please do your best not to notice that there is no overlap in this Venn diagram. I blame Google Docs for not having a Venn function. You should too.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

How to Build a Successful Information Security Career
Ideas
My Explanation for the Sudden Rise in Ransomware
An Information Security Metrics Primer
My RSA 2017 Recap

People are very confused about the bounty vs. penetration test debate. They see fundamental differences that don’t actually exist, and they’re blind to what’s actually coming.

The reality of testing needs can be reduced to a few key variables, which exist on a spectrum.

Good vs. bad testers
Many testers vs. few testers
High vs. low business context
Paid by finding vs. by report
High tester trust vs. low tester trust


The future

Rather than giving my ideas about the future of testing, let me tell you what I believe to be the future of IT. Combined with the testing variables above the path should illuminate itself.

Businesses will eject most internal IT functions, preferring to use vendors instead.
The business will retain a small number of super elite IT people who are extremely fluent in both business and IT.
These business/IT (BIT) people will manage vendors in order to best achieve the goals of the business.
90% of IT workers will work for vendors / consultancies.
Infosec becomes vastly more data-driven in terms of what works for security and what does not, driven by insurance companies being the first groups incentivized to collect and use this information.
Insurance companies will determine the infosec standards because they will have the data about what works.
Because they will have the data, they know that certain projects need certain types of testing, and other types need other approaches.
Based on the type of project you have, the project’s business sensitivity, how many times its been assessed in the past, etc., there will be a best-fit type of assessment for that project.
The variables will be:




How sensitive the project is, i.e. the trust level of testers required to work on it.
Automated vs. manual testing.
How many testers are used.
Incentivization / payment structure.
The knowledge of the business required to provide valuable results.

The BIT person will reach out to several vendors and request an assessment with the precise mixture of these components.
Some vendors will excel at specific areas, such as high-trust testers, or testers who know a particular business, but the trend will be towards large companies that can do all of them.
Many large testing vendors will really be exchanges that can find any combination of individual to fit a given need.
The BIT will pick one vendor that has the best mix, and the work will get done.


Back to the present

So the future of testing is not a race to differentiation, it’s a race to similarity. Both penetration test companies and bounty companies need to become flexible enough to handle this entire range of capabilities.

Some assessments need highly vetted people, even if it’s just one or two. Other assessments need large numbers of people, no matter their background or alignment. Some require deep relationships with, and knowledge of, the customer. Others need no context whatsoever.

The truth is, as a BIT, you don’t care who you’re using as long as you can trust the results and that they’ll be professional. If you can provide better results, and better guidance on how to reduce risk for the company—all without breaking that precious trust that the whole thing is based on—you will do well.

Now, who do you think is better positioned to make this move?

Or, put another way, is it easier for:

Security services companies with deep relationships with companies built over years or decades to add a researcher program that brings hundreds or thousands of testers under their banner at varying levels of trust, and to then build/buy a platform for taking managing them finding bugs for their customers, or…
For companies based around a vulnerability platform to build the internal trust required to be trusted for ANY type of project the customer has?

I think it’s it’s the former. It would seem to be easier for a trusted security services company to add testers than for pure-play bounty companies to engage deeply into companies as a trusted advisor. But either way, that’s what the race looks like. And both company types must ultimately do both or face extinction.

Longer term It’s all about the testing talent

The funny part is that, long term, it actually doesn’t matter which model wins between pure-play bounty and traditional testing companies. The race described above is only on the 2-10 year scale. The next evolution of the future of work presents a threat to testing companies themselves—traditional, bounty, or whatever. Ask yourself this:

Who are the most important parties in the testing conversation?

The tester and the customer.

Everyone else is a middleman, i.e., a bunch of taxi companies in a world of ride sharing.

There is, of course, a component of, “Who are you going to sue if something goes wrong?”, and right now that dynamic heavily favors having a reputable testing company (not a bounty company) between the tester and the customer. But as the individual-based economy (and the technology-based trust infrastructure that powers it) gains acceptance, this will quickly decline as a factor.

As I talk about in The Real Internet of Things, individuals will be rated by trust, by quality, by how pleasurable they are to work with, etc., and they will win or lose contracts based on this rating.

As the infrastructure grows for tracking such meta, including one’s trustworthiness, how well they perform, how well they communicate, etc., having the middle-person will be needed less and less. The better the middle tech layer becomes at finding matches and ensuring quality, the less a third party is needed between the customer and the actual provider of the service.

In short, both the traditional testing and bug bounty companies represent the old, taxi model of staffing security engagements, and they’re both going to be replaced by the individual-based gig economy.

That’s why I laugh when I see the industry so obsessed with the distinction between being penetration tester, a researcher, a bounty player, or whatever specific title we wish to assign. In an individual-based economy this distinction becomes arbitrary.

Testers will be testers with a set of skills. They might have a regular-ish job with a particular company, while they’re also doing other contracts on the side, while they’re also pursuing their own research as well. What are they? Pentesters? Bounty people? Researchers?

Yes, yes, and yes.

The future of security testing is individual-based and non-binary, and if you’re a third party in between them and the customer, you’re going to be in a bad position.

Summary


People are far too emotional about the bounty vs. pentest debate, usually because of bias.
The industry is actually racing to similarity, with all companies having many testers and many trust levels.
In the longer-term future it won’t even be about pentest or bounty companies because testers will be non-binary participants in the gig economy.
In this model, both types of companies become part of the past because they are third-party middlemen in a gig-based transaction.

This is why I can’t get too worked up about the bounty vs. pentest debate anymore. In the overall story arc of where security testing is going, it’s a moot point. Both models are intermediary, and the future is coming.

I look forward to the purity that individual-based testing will bring. It will simply be people with skills and reputations being harnessed to solve problems. And that’s the future of work, not just security testing.

Let’s stop fighting about who’s better at the old models, and start thinking about how to get to the new one.

Notes


Keep in mind that this transition will take time and will have many different phases. There will still be entities that pop up to pre-filter resources, like exchanges, that companies can buy from. But all of these solutions are temporary fixes to the technological problem of purchasers not being able to fully trust the rating systems. As those systems approach a realistic representation of quality and trust, the third-party vouching and liability services will become less needed and less valuable.
Insurance will be another solution to the liability problem. I can imagine a thriving insurance market where highly rated individuals run with insurance policies that help their clients relax about using them. So not only will they have high ratings in dependability, trustworthiness, and results quality, but they’ll also be covered for millions of dollars in the event of something bad happening. This will further diminish the need for a third party in the middle to take on liability.
I’ve had these thoughts for years now and have been reticent to share them. For one, I work at a testing company. Second, one of my favorite humans in the world (Jason Haddix) works at Bugcrowd, and my buddy Jeremiah Grossman is an advisor for them as well. Plus I have many other friends there that I care about, so I want to see all of them, as well as my own company, thrive. But there’s politics surrounding the topic—politics that get worse when marketing departments get involved and start slinging poo at each other. This happened recently, coming from the bug bounty companies, and I decided to write this as a reminder that the whole debate is an exercise in deck chair placement on the Titanic. Let’s be smarter and better.
If you’re wondering where this meta on individuals will be stored, such as their testing quality, their trustworthiness, their dependability, etc., I think the answer is in large, universal tech layers like LinkedIn, FICO, Insurance companies, etc. It’ll be all about massive databases of people, transactions, ratings, and fraud detection and defense. These companies will link job seekers with job providers, and everyone will run the WORK app on their phone like ride share drivers do now. Except it’ll be for all of your skills, not just one of them. This is how testers will find gigs—they’ll come to them automatically based on the customer’s need combined with their skillset, just like Uber and Lyft find drivers based on where you need to go, at what time of day, for how many people.
Many of these concepts are talked about in more depth in my book, The Real Internet of Things.
There will still be a place for companies that provide vetting services, but those services will not be consumed as sources for contractors, but rather authoritative tagging of resources with a seal of quality. So rather than saying, “Go get me N testers from X company.”, it’ll be, “Find me N testers who have the following criteria plus the X seal of quality given by Y service.”

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Web Application Security Testing Resources
Information Security Assessment Types
How Cybersecurity Insurance Will Take Over InfoSec
Ideas
Bug Bounty Ethics and the Ubering of Pentesting