Daniel Miessler's Blog, page 120

People are very confused about the bounty vs. penetration test debate. They see fundamental differences that don’t actually exist, and they’re blind to what’s actually coming.

The reality of testing needs can be reduced to a few key variables, which exist on a spectrum.

Good vs. bad testers
Many testers vs. few testers
High vs. low business context
Paid by finding vs. by report
High tester trust vs. low tester trust


The future

Rather than giving my pitch now, let me just tell you what I believe the general future of IT looks like. Combined with the variables above the path should illuminate itself.

Businesses will eject most internal IT functions, preferring to use vendors instead.
The business will retain a small number of super elite IT people who are extremely fluent in both business and IT.
These business/IT (BIT) people basically manage vendors in order to best achieve the goals of the business.
90% of IT workers work for vendors / consultancies.
Infosec becomes vastly more data-driven in terms of what works for security and what does not, driven by insurance companies being the first groups incentivized to have this information.
Insurance determine the infosec standards because they have the data about what works.
Because they have the data, they know that certain projects need certain types of testing, and other types need other approaches.
Based on the type of project you have, it’s business sensitivity, how many times its been assessed in the past, etc., there will be a best-fit type of assessment for that project.
The variables are:




How sensitive the project is, i.e. the trust level of testers required to work on it.
Automated vs. manual testing.
How many testers are used.
Incentivization / payment structure.
The knowledge of the business required to provide valuable results.

The BIT person will reach out to several vendors and request an assessment with the precise mixture of these components.
Some vendors will excel at specific areas, such as high-trust testers, or testers who know a particular business.
Many large testing vendors will really be exchanges that can find any combination of individual to fit a given need.
The BIT will pick one vendor that has the best mix, and the work will get done.


Back to the present

So the future of testing is not a race to differentiation, it’s a race to similarity. Both penetration test companies and bounty companies need to become flexible enough to handle this entire range of capabilities.

Some assessments need highly vetted people, even if it’s just one or two. Other assessments need large numbers of people, no matter their background or alignment. Some require deep relationships with, and knowledge of, the customer. Others need no context whatsoever.

The truth is, as a BIT, you don’t care who you’re using as long as you can trust the company and its results. If you can provide better results, and better guidance on how to reduce risk for the company—all without breaking that precious trust that the whole thing is based on—you will do fine.

Now, who do you think is better positioned to make this move?

Or, put another way, is it easier for:

Security services companies with deep relationships with companies built over years or decades to add a researcher program that brings hundreds or thousands of testers under their banner at varying levels of trust, and to then build/buy a platform for taking managing them finding bugs for their customers, or…
For companies based solely on having a vulnerability platform to build the internal trust required to be trusted for ANY type of project the customer has?

I think it’s it’s the former.

I think it’s a whole lot easier for a trusted security services company to be able to add testers to their bench than it is for pure-play bounty companies to embed deeply into companies as a trusted advisor.

But either way, that’s what the race looks like. And both company types must ultimately do both or face extinction.

Longer term It’s all about the testing talent

The funny part is that, long term, it actually doesn’t matter which model wins between pure-play bounty company and traditional testing company. The future of work described above is only an intermediary step, and the next stage of evolution presents a threat to testing companies themselves.

What evolution am I talking about?

To answer that, ask yourself who actually matters in this mix. The most important players in a security assessment are the tester and the customer. Everyone else is a middleman, i.e., a bunch of taxi drivers in a world of ride sharing.

There is, of course, a component of, “Who are you going to sue if something goes wrong?”, and right now that dynamic heavily favors having a reputable testing company (not a bounty company) between the tester and the customer. But as the individual-based economy (and the technology-based trust infrastructure that powers it) gains acceptance, this will quickly decline as a factor.

As I talk about in The Real Internet of Things, individuals will be rated by trust, and they will win or lose jobs based on this rating. As the infrastructure grows for tracking such meta, including one’s trustworthiness, how well they perform, how well they work with others, etc., having the middle-person will be needed less and less. The better the middle tech layer becomes at finding matches and ensuring quality, the less a third party is needed between the customer and the actual provider of the service.

In short, both the traditional testing and bug bounty companies represent the old, taxi model of staffing security engagements, and they’re both in line to be replaced by the individual-based gig economy.

That’s why I laugh when I see the industry so obsessed with the distinction between being penetration tester, a researcher, a bounty player, or whatever specific title we wish to assign. In an individual-based economy this distinction becomes arbitrary.

Testers will be testers with a set of skills. They might have a regular-ish job with a particular staffing company, while they’re also doing other contracts on the side, while they’re also pursuing their own research as well. What are they? Pentesters? Bounty people? Researchers?

Yes, yes, and yes.

The future of security testing is individual-based and non-binary, and if you’re a third party in between them and the customer, you’re destined to be in a bad position.

This is why I can’t get too worked up about the bounty vs. pentest debate anymore. In the overall story arc of where security testing is going, it’s a moot point. Both models are intermediary, and the future is coming.

I look forward to the purity that individual-based testing will bring. It will simply be people with skills and reputations being harnessed to solve problems. And that’s the future of work, not just security testing.

Let’s stop fighting about who’s better at the old models, and start thinking about how to get to the new one.

Notes


Keep in mind that this transition will take time and will have many different phases. There will still be entities that pop up to pre-filter resources, like exchanges, that companies can buy from. But all of these solutions are temporary fixes to the technological problem of purchasers not being able to fully trust the rating systems. As those systems approach a realistic representation of quality and trust, the third-party vouching and liability services will become less needed and less valuable.
Insurance will be another solution to the liability problem. I can imagine a thriving insurance market where highly rated individuals run with insurance policies that help their clients relax about using them. So not only will they have high ratings in dependability, trustworthiness, and results quality, but they’ll also be covered for millions of dollars in the event of something bad happening. This will further diminish the need for a third party in the middle to take on liability.
I’ve had these thoughts for years now and have been reticent to share them. For one, I work at a testing company. Second, one of my favorite humans in the world works at Bugcrowd, and my buddy Jeremiah Grossman is an advisor for them as well. Plus I have many other friends there that I care about, so I want to see all of them, as well as my own company, thrive. But there’s politics surrounding the topic—politics that get worse when marketing departments get involved and start slinging poo at each other. This happened recently, coming from the bug bounty companies, and I decided to write this as a reminder that the whole debate is an exercise in deck chair placement on the Titanic. Let’s be smarter and better.
If you’re wondering where this meta on individuals will be stored, such as their testing quality, their trustworthiness, their dependability, etc., I think the answer is in large, universal tech layers like LinkedIn, FICO, Insurance companies, etc. It’ll be all about massive databases of people, transactions, ratings, and fraud detection and defense. These companies will link job seekers with job providers, and everyone will run the WORK app on their phone like ride share drivers do now. Except it’ll be for all of your skills, not just one of them. This is how testers will find gigs—they’ll come to them automatically based on the customer’s need combined with their skillset, just like Uber and Lyft find drivers based on where you need to go, at what time of day, for how many people.
Many of these concepts are talked about in more depth in my book, The Real Internet of Things.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Information Security Assessment Types
How Cybersecurity Insurance Will Take Over InfoSec
Bug Bounty Ethics and the Ubering of Pentesting
Ideas
My RSA 2017 Recap

Everyone hates bad advertising, which is why the industry is in a freefall. But what does it mean to be bad advertising? Is there such a thing as good advertising?

I think there is, and I think the way to tell the difference is to simply ask yourself if you consider the thing you’re being shown to be:

An annoyance, or
A service

If it’s annoying, it’s bad. That means that the thing you’re being shown is not something you’d ever buy, consider, share, or otherwise care about. It’s not matched to you in any way, or there’s some sort of other disconnect that otherwise puts you off (like being pitched wedding information during a painful divorce).

So that’s bad.

Good ads are indistinguishable from someone paying a service to find cool things for you. So imagine you just want to know the coolest bags, tech gadgets, vacations, services…whatever. And you’re willing to pay $100 a month for this service.

And imagine that the way they deliver this service is not to have you come to a designated location to browse options, but instead they subtly slip the products they find right into your normal daily workflow. So while you’re sitting at a stoplight. While you’re on a train. While you’re working out. While you’re browsing the internet. Etc.

Imagine that this service is excellent. It constantly finds items for you that you would have never found otherwise, but that you absolutely enjoy, and when you see them you are frequently delighted and happy that you paid for the discovery service.

That’s what good ads should be. And if any ad company wants to survive, that’s what they must become.

Facebook is getting pretty close to this already. I think I might have bought around 3-5 items from Facebook that I genuinely enjoyed learning about. Of course they’re using my data, data about who I like and follow, and a ton of machine learning to figure out the products I’d like to see, but that’s just a given at this point. Anyone trying to serve ads who can’t do this is basically doomed. See the industry freefall for reference.

So the point is this: good ad services don’t feel like ads at all. They feel like paid discovery services for the rich.

As a consumer, ask yourself what kind of ads you would be willing to tolerate, and why. Hopefully you’ll see some examples of ads that you enjoyed, and perhaps they’ll have this quality to them.

And as a company doing advertising, ask yourself whether or not the delivery mechanism for your ad is tuned enough to be mistaken for a paid service. If it’s not, you’re likely annoying someone and wasting a lot of money. Try to reach the standard of paid service in your delivery. If you can pull it off, your campaign is likely to be wildly successful.

Everyone is overwhelmed with information, and they’re tired of seeing things that aren’t relevant. Individually tuned, curated discovery of new products and services is where the game is at.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

An NMAP Primer
Lifecasting: What It Is and How It Will Change Society
Why Google Sucks at Ecosystems
[ ANALYSIS ] Internet Trends Report 2016
Summary: Spent

This week’s topics: Petya ransomware worm, RNC breach, Anthem settlement, Russians want source code, risk ratings, patching, ICOs, ideas, discovery, recommendation, aphorism, and more…

This is Episode No. 83 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.

The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.

The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can subscribe to and get previous editions of here.

Newsletter

Every Sunday I put out a curated list of the most interesting stories in infosec, technology, and humans.

I do the research, you get the benefits. Over 5K subscribers.

The podcast and newsletter usually go out on Sundays, so you can catch up on everything early Monday morning.

I hope you enjoy it.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Unsupervised Learning: No. 78
Unsupervised Learning: No. 76
Unsupervised Learning: No. 73
Unsupervised Learning: No. 75
Unsupervised Learning: No. 72

With WannaCry and now with Petya we’re getting to see how and why some ransomware worms are more effective than others.

[ Jul 3, 2017 — It’s now pretty well accepted that Petya wasn’t ransomware but a wiper instead. The post still applies to ransomware, though. ]

I think there are 3 main factors: Propagation, Payload, and Payment.

Propagation: You ideally want to be able to spread using as many different types of techniques that you can.
Payload: Once you’ve infected the system you want to have a payload that encrypts properly, doesn’t have any easy bypass to decryption, and clearly indicates to the victim what they should do next.
Payment: Finally, you need to be able to take in money efficiently and then actually decrypt the systems of people who pay. This piece is crucial otherwise people will soon learn that you can’t get your files back no matter what and will be inclined to just start over.


WannaCry vs. Petya

WannaCry used SMB as its main spreading mechanism, and its payment infrastructure lacked the ability to scale. It also had a killswitch, which was famously triggered and that stopped further propagation.

Petya seems to be much more effective at the spreading game since it’s using not only SMB but also wmic, psexec and lsasump to get onto more systems. This means it can harvest working credentials and spread even if the new targets aren’t vulnerable to an exploit.

[ NOTE: This is early analysis (Tuesday morning) so some details could turn out to be different as we learn more. ]

What remains to be seen is how effective the payload and the payment infrastructures are. It’s one thing to encrypt files, but it’s something else entirely to set up an infrastructure to have hundreds of thousands of individual systems send you money, and for you to send them each decryption information.

That last piece is what determines how successful, financially speaking, a ransomeware worm is. This is, of course, assuming that the primary goal was to make money, which I’m not sure we should take as a given.

Other questions


Manny attributed WannaCry to North Korea. Do they think the new worm is from the same origin?
What are defenses against non-exploit-based spreading mechanisms?
What are we learning about worm defense from both of these instances?

Sounds like it’ll be an interesting next few days, at the very least.

Notes


I’m sure there are much more thorough ways to analyze the efficacy of worms. These are just three that came to mind while reading about Petya and thinking about it compared to WannaCry.
Thanks to Michael A. for the updated information regarding spreading methods.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Multi-dimensional Vulnerability Hierarchies
Windows File Sharing: Facing the Mystery
My Explanation for the Sudden Rise in Ransomware
An ICS/SCADA Primer
Ideas

With WannaCry and now with Petya we’re getting to see how and why some ransomware worms are more effective than others.

I think there are 3 main factors: Propagation, Payload, and Payment.

Propagation: You ideally want to be able to spread using as many different types of techniques that you can.
Payload: Once you’ve infected the system you want to have a payload that encrypts properly, doesn’t have any easy bypass to decryption, and clearly indicates to the victim what they should do next.
Payment: Finally, you need to be able to take in money efficiently and then actually decrypt the systems of people who pay. This piece is crucial otherwise people will soon learn that you can’t get your files back no matter what and will be inclined to just start over.


WannaCry vs. Petya

WannaCry used SMB as its main spreading mechanism, and its payment infrastructure lacked the ability to scale. It also had a killswitch, which was famously triggered and that stopped further propagation.

Petya seems to be much more effective at the spreading game since it’s using not only EternalBlue but also credential sharing / PSEXEC to get onto more systems. This means it can harvest working credentials and spread even if the new targets aren’t vulnerable to an exploit.

[ NOTE: This is early analysis (Tuesday morning) so some details could turn out to be different as we learn more. ]

What remains to be seen is how effective the payload and the payment infrastructures are. It’s one thing to encrypt files, but it’s something else entirely to set up an infrastructure to have hundreds of thousands of individual systems send you money, and for you to send them each decryption information.

That last piece is what determines how successful, financially speaking, a ransomeware worm is. This is, of course, assuming that the primary goal was to make money, which I’m not sure we should take as a given.

Other questions


Manny attributed WannaCry to North Korea. Do they think the new worm is from the same origin?
What are defenses against non-exploit-based spreading mechanisms?
What are we learning about worm defense from both of these instances?

Sounds like it’ll be an interesting next few days, at the very least.

Notes


I’m sure there are much more thorough ways to analyze the efficacy of worms. These are just three that came to mind while reading about Petya and thinking about it compared to WannaCry.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Multi-dimensional Vulnerability Hierarchies
Ideas
An ICS/SCADA Primer
How to Build a Successful Information Security Career
A vim Tutorial and Primer

My friend Saša is selling his MacBook Pro from late 2013 for $1,700 so that he can buy a MacBook. Here are the specs:

Retina
2.6 Ghz i7 (4 cores)
16 GB memory
1 TB SSD
1.5 GB dedicated video card

Model Name:MacBook Pro
  Model Identifier:MacBookPro11,3
  Processor Name:Intel Core i7
  Processor Speed:2.6 GHz
  Number of Processors:1
  Total Number of Cores:4
  L2 Cache (per Core):256 KB
  L3 Cache:6 MB
  Memory:16 GB
  Boot ROM Version:MBP112.0138.B25
  SMC Version (system):2.19f12
  Serial Number (system): (redacted)
  Hardware UUID: (redacted)

I’ve known Saša for almost 10 years, and he’s one of my closest personal friends. He’s an executive at a Fortune 10 company, and he’s extremely anal about all his possessions, as you can see from the images. He has all the original packaging.

If you’re interested, you can email me and I’ll put you in touch with him.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

The Ultimate Speed Guide for WordPress on NGINX
5X WordPress Speed Improvement with W3 Total Cache
A Varnish Primer
A DNS Primer
On Giving Advice to Friends

I didn’t write about this immediately because it seemed insensitive, but I want to ask a couple of simple questions about the various terrorist attacks in Britain.

If you’re a “more guns equals more safety” type of person, do you honestly believe that the knife attacks in Britain would have been less deadly if guns were easy to get in the country? So, let’s say that it’s fairly easy to get an AR-15, multiple Glocks, and plenty of ammunition. Would the same terrorists armed with the same weapons (instead of knives) have done more or less damage?

Before you answer, let’s assume that some decent percentage of the population is also armed with a Glock or equivalent. Let’s say 25%, which seems high even for the United States.

Now, given both sides being armed in this way, would there be more or fewer deaths and casualties as compared to there being very few guns, i.e., so few that terrorists attack with vehicles and knives.

My intuition is that there would be far more damage, and far more deaths and casualties.

It seems to me that you’d need a population of 50-75% undercover cops before you’d be able to accurately take out attackers before they could do more damage than they could with a knife, and those are numbers that aren’t realistic.

To me this is a case in point of the gun control side being more right. Of course, it’s a whole separate matter of whether it’s possible to get gun numbers down to British levels. The argument is moot if they’re already saturated in a society as with the U.S.

Anyway, curious if you guys see it differently.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

The Broken Conversation About Gun Violence
A Liberal Gun Owner Explores Existing Data
My Current Thoughts on Gun Control
A Simple Answer to the Question of Whether Guns Make Us More or Less Safe
A Logical Approach To Gun Laws

Once we’re able to decipher our minds, our memories, and everything that makes us unique as individuals, we’ll be able to transfer our minds into digital form.

This will basically make us immortal, and I think the next stage is to share knowledge among all of us that are digital.

Once we’re all sharing common knowledge, I don’t see why we will be considered individuals anymore. I think there will be some vestiges that remain for a while, as a matter of tradition, or of respect for what we used to be, but it seems like we’d evolve out of that as well and inevitably end up at a single post-human life form.

The interesting part is that I think most civilizations will do the same. I think it’s a matter of stages of development.

These stages map to challenges. At first the challenge is to be created at all, from the primordial soup. Then it’s to evolve. Then it’s to beat out your animal competitors. Then it’s to avoid being destroyed by disease. Then there are meteors. Then you have to not destroy yourself with nuclear and biological warfare.

So now, as a civilization, you’ve made it to say level 6 or so. The next level is to not get eradicated by an aggressive superintelligence before you merge with it.

But let’s say you get there. You’ve created super intelligence, you’ve evolved your humanity to merge with it, and now you’re just one superinteligent being with all the knowledge and experiences of the human race.

On earth, let’s call ours Huma.

So we’re on earth, we’ve probably explored the solar system and maybe even populated it decently well with other extensions of ourselves.

But our next problem is non-trivial to solve. The Sun is going to burn out, and it’s going to destroy the earth. That means no more energy. That means death.

So we have to find another star. We have to find another home. We have to find more energy.

This is the true essence of life: the struggle to overcome, to be victorious, to survive, and to expand. It’s the same with battling against other animals in the African plains as it is looking to find another star before ours burns out.

I think we can assume that the universe is full of civilizations on this path. Single, super intelligent entities that have the history of their evolution within them, who are conquering the next challenge. That challenge is likely to be finding good planets with good stars, and planning for the future.

The most advanced of them, perhaps together with thousands or millions of others, will be working on the final challenge. The final challenge of course is avoiding the Heat Death of the universe, and it’s the hardest problem in the world.

I imagine a federation of superintelligences, representing millions of civilizations, each with billions of years of evolution, roaming around the universe trying to solve the Final Problem.

A few of them have decided to unite and become part of Uni, which is the combined super intelligence that has all the experiences of all joined civilizations. Many more will join, but only after they are comfortable enough with their own identities that they’re willing to absorb them into a greater whole.

Notes


I could see writing some fiction in this universe, where some civilizations are part of Uni, some are close to it, but then there are many that are just starting. Some are mid-level and they prey on the early ones, so when early-tech life forms send out SETI signals, two types of groups respond: the ones going to destroy and pillage them, and the defenders who go to prevent that from happening.
I’d love to read a series based on the Early Tech Defense Force (ETDF) that responds to SETI signals like fire calls and immediately goes to protect them from pillagers.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

The Two-lever Argument Against Free Will
Why Free Will Matters
A vim Tutorial and Primer
Information Security Interview Questions
The Future of Happiness

Liberalism in the United States is in the middle of a slow motion suicide by poison. We’re watching the unscrewing of the lid, the last looks about the room, and the multiple sips from the vial. Except we’re seeing it happen at one frame per month with no ability to stop the film.

The far left has effectively blacklisted the thinking or voicing of certain opinions, simultaneously pushed a series of regressive and ridiculous narratives, and then proceeded to witch-hunt at the individual and media levels using outrage porn as its primary weapon.

The effect is slow destruction of the original progressive agenda, with more and more liberals being forced to leap from the hijacked bus. Even worse, though, is that it’s creating a gap in ideology between the extreme left and the extreme right. And the gap continues to grow in both breadth and depth.

We’re approaching a moment where we have just three groups in this country:

The Regressive Left who spews social-media-powered outrage, hatred, and labels at anyone who disagrees with their far-left opinions and in turn harms progressivism the way only a friend can.
The Alt-right, which is effectively indiscernible from a race-oriented fascist party.
And the growing middle ground who suddenly has no home. They are the 70% in the middle who leaned a bit left, or leaned a bit right, but is suddenly forced to pick between safe spaces and Muslim registries.

It’s not a recipe for disaster, it’s the pre-made cake of disaster (because we already know how it turns out).

Arguments from arrogance

Here are some of ways the extreme left is pushing people towards apathy and/or the extreme right.

Insisting women who are happy being mothers and wives are either lazy or anti-feminist: It’s obviously ok to encourage any group to do better for themselves, but it’s pretty shitty to say to millions of women—who might have actually considered all the options (gasp) and who chose to stay home—that they’re bad people.


There’s also a lot of irony in the position, as it assumes an intellectually inferior position for women since they obviously don’t know what’s best for themselves. To be clear, many of these same women are absolutely feminists when it comes to allowing women to enter the corporate world, start businesses, or do whatever. They simply don’t see staying at home as failing to do those things, but rather as alternative and equal choice. Many women see attacks on that choice as a violation of something natural and ok, and it pushes them away from the left even if they leaned progressive on many other issues.
Equating school shootings caused by mental health issues with Islamic terror. With each mass attack on civilians done by Islamic extremists it becomes increasingly counter-intuitive and offensive to say it has nothing to do with Islam. And when you tell people this untruth, without flinching, and expect them to pass it along to others, it produces a burning anger inside. It’s an anger created by being asked to believe and preach something you know not to be true.



We have a problem with extreme Islam that only moderate Islam can fix, and you start that conversation with identifying that we have a problem. Right now, in the entire world, there is no newspaper that will print an image of Mohammed. The reason is because there’s a very high chance that they will be murdered with hours or days of publication. This is not a problem for any other religion on Earth. It’s not a problem with Putin. It’s not a problem with Kim Jung Un. It’s not a problem with the Satanic church. Only Islam. Now add to that the fact that when you ask British Muslims if it’d be justified to commit terrorist atrocities against someone who mock Mohammed, 27% said they had some sympathy for those behind the attacks on Charlie Hebdo, and 11% said they deserved it. That’s 300,000 people who think murdering a cartoonist was justified because they insulted Islam. British Muslims.



So, yes, we have a problem with Islam in that it largely doesn’t seem consistent with western values. It’s obvious in these sorts of polls, and it’s obvious in a constant stream of suicide attacks carried out by Muslims. White people (or any ethnicity really) shooting up some place due to not having education, not having a job, not having any meaningful relationships, and basically no prospects for the future is quite distinct from an actual ideology. Extreme Islam is an ideology that has to be actively opposed, just like Neo-nazism or anything else like that. And when you claim equivalency with random mental health related violence it defies common sense and produces even more of this internal anger that cannot be voiced.
Pushing white male guilt as a solution to every problem. A lot of white people wish they could be proud of something related to their heritage. Something Irish, or German, or English, or whatever. But they know they can’t do that because it means they (according to the crowd with torches) are also then proud of European colonialism. Once again, you have a powerful feeling (loving one’s ancestry) that is forced to be repressed due to far-left ideology.



This isn’t healthy, and it isn’t fair. Europeans did some dark shit, without question. But every race and group you can name did similar things if look at the history. We should all be ashamed, and we should all be proud. Anytime you remove one either of these feelings, for any group, you produce a festering and boiling pressure that can only be ugly when it finally says something.
Insisting that no part of gender or racial representation in various industries/careers has anything to do with their respective interests or talents. The far left wants you to believe that all workforces should have a gender and race distribution that perfectly matches the overall population distribution. And if it deviates from that, the company or industry is purely racist or sexist. Period.


Do they notice that most top writers in journalism, comedy, and movies are Jewish? Do they notice that black people make up 18% of the U.S. population while making up 75% of NBA players? Do they notice that countries with the most gender equality also have the most gender-specific industries? Or how about the fact that Jews make up only .2 percent of the world’s population but they have over 20% of all Nobel prizes?

If you’re anything like me you’re probably thinking this is some sort of veiled attack on equality.

Didn’t you just say that it’s ok that women stay home, that Islam is completely evil, that jews and blacks can only do one thing, etc? This sounds like crazy right-wing stuff!

Right. No. Here’s what I’m saying.

If some differences actually do exist in genders and ethnicities then that’s ok. It’s ok for different groups to have, on average, some different kinds of preferences or talents. Even if true it would say nothing about what individuals want or are capable of.
Denying obvious things, as a matter of policy, is really bad. There seems to be something going on with certain ethnicities and certain kinds of excellence. There seems to be something going on with certain genders and some overall career preferences. Islam seems to have a problem with extremism. The worst possible thing you can do, if you want to maintain any amount of respect, is 1) deny what’s right in front of you, and/or 2) call someone out as a bad person for noticing those things.
This denial plays DIRECTLY into the hands of the extreme right. They harvest it like rotting fruit on the ground. They watch liberals deny obvious things and say, “You see how stupid that is, right? You see they’re lying to you? (nodding) Well, let me tell you what’s REALLY going on.” And they proceed to fill heads full of racist and sexist bullshit.

So what are we to do as decent liberals who a) care about the truth, and b) care about defending and promoting progressive ideals?

We say something like the following:

(turning to the sexists and the far left)

Yes, it’s true. Women appear to like doing different things in a lot of cases. Many appear to find being alone looking at numbers all day to be dumb and worthless compared to interacting with and helping actual people. Maybe that has something to do with being the only gender that creates human life inside their bodies (gasp!). And maybe that makes them awesome.

What this DOESN’T mean is that you know anything about any given woman when you meet her. Maybe she wants to be a mother and a wife, and if so she’s a fucking hero. Or maybe she doesn’t want a family at all, or even a boyfriend (or girlfriend), and instead she wants to be a CEO fucking astronaut. And what I’m saying, as a progressive, is that I will thrash your ass if you imply that she cannot, or should not, be either, because she’s either not capable or because one is inherently better than the other.

(turning to the racists and the far left)

Ok, sure, let’s say it’s true. Let’s say some ethnicities are better at certain things—on average—than other ethnicities. So what? This tells you absolutely nothing about the next person you meet, the next person you’re thinking about marrying, or the next person you’re thinking about electing to run our country. Everyone is an individual, and the spans between individuals are far wider than any group difference could ever be.

Since I’ve probably confused you, that means that all groups have massive ranges of attributes, skills, talents, and abilities that massively overlap, so when you think you know something about a person because of their ethnicity, that’s a symptom of you not being good at math, and that you should get a library card.

(turning to the white people, the white nationalists, and the far left)

You know what? Europeans have actually accomplished a lot. You did some great things. Have your Irish parties. Have your German parties. Celebrate your ancestry. Being white is cool, just like being every other race is cool. We get it, you do your thing.



(turning to the white nationalists) As for you people, you’re all officially out of work. As you just heard, we’ve removed the ban on white pride. People are now free to be proud of their heritage no matter what their race. So, since you said that’s what your party was about, I suppose you can go home now. (chants in the crowd).

Oh, you want white people to be in charge? You want to subjugate everyone else? Well, then you’re garbage, plain and simple, and the sooner you all get bred out of existence the better. The future is cocoa colored and cyber-enhanced, you silly idiots. Pack up all your dumb Hitler shit and get out of here before we call the police. Your days are numbered, and you are opposed by not just asians, hispanics, and black folks, but by the majority of whites as well. We. Are. The. Future. You. Are. The. Past.

(turning to the Islamaphobes and the far left)

Yes, Islam has some major issues. It’s not gone through a reformation, the books are still in their original forms, and they have a LOT of nasty stuff in them that people can dig up and throw around at will. And we also have a lot of so-called moderate Muslims who support hardline beliefs far too much to be consistent with western values. So that’s a problem.

But we also have hundreds of millions (the actual vast majority) of Muslims who are extremely western, secular, and progressive. They just want to raise families, see their kids become successful, and die of old age. If you care about national security, or even just human decency, what you’ll do is engage THOSE PEOPLE in conversation.

They are our friends. They are our brothers and sisters. They’re the good guys, just like anyone else. And they’re also the people closest to the problem. So the single, dumbest, fucking thing you can do—without question—IS TREAT THEM LIKE THEY’RE THE FUCKING PROBLEM. Stop being a goddamn xenophobe and be part of the solution.

Summary

There’s one theme here. We cannot let the extreme be the only ones telling truths.

When the left fails to call out differences or pressures or problems that are SO OBVIOUS to see, it starts a kindling that the right is eager to ignite.

Take that power from them. Speak truth. Be honest. Have difficult conversations. And then, afterward, love each other as one progressive humanity. That’s the only thing that will work against hate. Honesty and love.

Liberals must speak truth so that the enemy isn’t the only one doing so, because they twist it, distort it, and use it do evil.

Having the courage to have the difficult conversations and protect your progressive ideals must start and end with honesty about reality, and wherever that fails you will open the door to racists and bigots who will use those omissions against you.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

My Current Opinion on Women in Technology
Liberal and Conservative Contradiction on Gender Programming
In Search of True Female Equality
The Attraction Argument for Why There Are Fewer Women in “Male” Jobs
Don’t Step in the Anti-Muslim Trap

I really enjoyed the latest Wonder Woman movie and was surprised by how powerful she was both in it and in the previous Superman movie. So I decided to do some research since I knew virtually nothing about her as a character.

Here are some of the interesting things I learned.

Wonder Woman was created in 1941 by William Moulton Marston, who wrote as Charles Moulton
Marston was an inventor of the polygraph and a radical feminist, but he was also deeply into domination, submission, and bondage
He believed that women are superior and that they would eventually rule the world because they’re more compassionate and less aggressive
He also believed that women could be superior but simultaneously embrace submission to men as a source of sexual enjoyment
One of Wonder Woman’s main weaknesses is that if a man binds her at the wrists (bracers) using his hands or chains or whatever, she loses her powers
All throughout the comics and the 70’s TV show she would often appear in bondage, but she would always find a way to free herself, which counters the ‘damsel in distress’ concept
In the new Wonder Woman movie (2017) when she is thrown to the ground and wrapped and bound in metal (and then breaks free) which is without question a reference to that bondage and escape history
Wonder Woman is bisexual, and this is supported throughout the character’s history and also by the scene in the latest movie where she says men are unnecessary for pleasure
Marston and his wife were polyamorous and lived with two female lovers. One of the lovers, Olive Byrne, wore two bracelets, and is the inspiration for Wonder Woman
Wonder Woman was originally written to be made from clay and given powers by Aphrodite, but in the latest versions of her history she is the daughter of Zeus and has many of his powers, including the ability to control lighting
Her powers have changed and been lost and regained multiple times, but she is a Demi-goddess with powers similar to Superman and Thor in strength
Wonder Woman has repeatedly been relegated to lower roles within superhero teams due to sexism in the real world. In Justice League she was without question the most powerful hero there, yet she was given the role of secretary. This was probably directly referenced in the latest Movie (2017) when she asks what a secretary is
Wonder Woman has actually been the God of War before, which is interesting given the controversy around the fact that Gal Gadot is Israeli and that Wonder Woman’s primary directive is bringing kindness to the world
Her powers and items come from the Greek gods, and each of them have granted her different things.
The bracelets are supposedly made from remnants of Athena’s shield, the Aegis, which is made from the hide of a she-goat that suckled Zeus as a baby.
The Lasso of Truth (or Hestia) was forged by Hephaestus from the golden girdle of Gaea and can compel anyone to tell the truth, which makes sense given the fact that Marston was the inventor of the lie detector. Wonder Woman is also said in multiple places to be skilled in psychology, which is Marston’s field (he was a psychologist)
Her tiara has been used as a boomerang in the past, and it also protects her from telepathic attacks and has been used to allow her to communicate with Amazons back home
Batman has called Wonder Woman the best melee fighter in the world.


Notes


Most of this was taken from the Wonder Woman Wikipedia page, as well as a few other guides online. It should be relatively accurate but I’m sure many items are up for debate, as with any superhero lore.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

An Encoding Primer
A vim Tutorial and Primer
My Response to Sam Harris on the Apple Encryption Debate
An Atheist Debate Reference
The Duality of Truth and Happiness