Daniel Miessler's Blog, page 128

This post will be stream of consciousness style.

I’m worried that existing trends around income inequality are only going to accelerate, and that this time around it’s going to become quite acute, with tangible consequences.

The author of Capital in the 21st Century made the fascinating observation that income inequality has mostly always been high, and that the only time this is corrected is through catastrophes, such as war. But basically inequality is ever-present and rarely gets rest. That might not be the exact point, but that’s what I remember.

The last big equalizer was World War II, which brought the classes together in a major way. I think AI, automation, and robots are going to add a force multiplier to the pace of separation we are are about to experience.

As I’ve written about in many other posts, people are largely becoming unemployable, and the numbers and percentages of this group are growing rapidly. So what we’re heading towards is a massive and stark separation between those in perpetual struggle and those who live like techno-gods, enjoying the best food, the best entertainment, travel, leisure, etc.

I’m concerned about the role of media on this harsh separation. I’m worried that we could be heading into French Revolution territory due to the media being able to expose, magnify, and add narrative to the difference between those at the top and everyone else.

Before it was possible for a tiny percentage of people to rule over the rest. Tens of thousands of elites ruling millions of suffering.

But I’m not sure our new media types will allow this.

Physical separation

The reason I think it’ll become so dire is due to the physical lines that will start appearing in society. It’s starting already, actually.

Certain inner cities will become home for Alphas alone—the top 5% of the population who can afford to live, work, and play there. And inside that city will be the newest condos, high-end malls, farmers markets, custom/one-off shops of all kinds, and lots of liberalish language and messaging—all about inclusion, you see.

But the people making it all possible, i.e., cleaning the floors, serving the food, washing the cars, etc.,—they’ll all live 30-60 minutes outside of town. They’ll spend inhuman amounts of time commuting to jobs that barely pay any money and that are under constant danger of being replaced by automation and robots.

Roving through the inner city circle will be tons of automated security. Cameras of course. But autonomous security vehicles. Drones. Microphones. Satellites. The whole cocktail. The place will be extraordinarily safe. A veritable playground for the top 5-10%.

And if a Beta wonders in after hours, or lingers too long after their shift, the security forces will tag them as suspicious. People will wonder why they’re still here. Why are they sitting in the chairs like patrons instead of serving someone?

Vehicles, people, groups—they’ll all be tagged as native or external, in order to determine the necessary level of scrutiny.

It’ll lower crime of course, because the Alphas will not only be unlikely to commit crime anyway, but they’ll also know it’s pointless to try to get away with anything. Same with visiting Betas; they’ll know it’s very hard to do something and get away with it. And if they’re working there they won’t want to risk losing their “amazing” job.

The media will highlight this

So we’ll have green zones and red zones.

Green zones are where the rich live and play. They’re heavily surveilled areas. Extremely clean. Brand new everything. Sterile perhaps, but there will also be some genuine relaxation as people roll around in their well-earned success. Congrats on those genetics and family and education choices—you picked them well.

Anyway.

The green zone will be highly secure. Safe. Happy. Vibrant.

And there will be plenty of social media streaming from these places. There will be “media” channels showing just how much fun they’re having on a regular basis. The party scene. The beautiful people. The good times.

Meanwhile, in the other 90% of the world, they sit in shit housing. With little insurance. Maybe not working, or maybe working three jobs with no benefits and unlivable wages.

And they watch.

They see all these happy ten percenters enjoying their autonomous vehicles, EDM clubs, perfect safety, healthy families, etc. And they start to get angry.

The Alphas have to leave the green zones of course. They venture out. They go shopping. They go into the more “real” areas, and tell their friends about it.

Red Zone food is so great! So authentic!

And the Red Zone people see them come in, they see them eat the food, served by other Red Zone people, and then speed off in their new model autonomous cars back to the safety and beauty of the green zone.

400 million people in America. 40 million of them are Alphas, the other 360 million are Betas.

And some of the channels watched most by the Betas start to talk about how it’s not fair. It’s not equal. Their kids aren’t more important than ours. Why are we serving them food and building their houses?

And then it gets said.

Why do we settle for this? How about this? Any Alpha that comes into this part of our town is getting rolled. We see you without enough security and we’re going to take you out.

And it’ll happen.

Alphas won’t be able to move around outside the green zones without significant security, because there will be a number of media-powered regular folk ready to take out their frustrations.

And sometimes they’ll just roll into the green zones and tear some stuff up.

The red zones will be run like third-world countries. The police will be bought off by criminal elements. They won’t protect areas that aren’t paying. They’ll be taking part of whatever they confiscate. It’ll be a sham job, like it is in so many developing countries.

The races will separate. Hatred will rise. They’ll fight amongst each other, even though the pressure is coming from above and outside, not from within. They’ll blame each other for their position, just like the midwest is now.

Hospitals, police, utilities, etc.,—they’ll all be sub-par compared to green zones.

Diversion or destruction

So that’s one thread and option. Basically the classes massively separate and the ability for the Betas to see the Alphas like never before will exacerbate and accelerate French Revolution-style revolt.

Violent conflicts will enhance the separation even more starkly, and this trend will continue as long as the Betas are not occupied.

So it’s possible that the Alphas will devise a system for making the Beas happy in their places.

If you keep them safe, fed, warm and dry, and give them something fun (and fulfilling) to do with their lives, they actually won’t have any reason to care what the Alphas are doing as much.

This will come in the form of gaming. VR and AR gaming.

Game companies will provide massive infrastructures to occupy the entire country’s and world’s masses. And as long as they are able to get into the games, watch the shows, participate in them, they will be ok. Many of the advantages inside the games will be better than what the Alphas have in real life anyway, so there won’t be that much incentive to be angry.

This all hinges on the bottom 90% being provided with sufficient living conditions and the ability to entertain themselves with these games in a safe and sustainable way.

That’s Basic Income, basically. That’s the Alpha class paying for the Beta class to not revolt, essentially.

But gaming will be a bit of a misnomer. It’ll be more like living, but in a game framework, which is more like an alternative life framework.

I think there will be job roles in-game. Security. Police. Military. Some people will be bad guys, some people good guys. Some people will clean and serve and support, just like in real life.

The key is that this will provide them essential meaning, which everyone needs. Alphas will need it too, and maybe even more. Things that come easy don’t make for the underpinnings of a fulfilled life.

Meaning requires struggle. Purpose. Service. And contribution to a greater good.

Some Alphas and Betas will get this through real-world work, but most will get it through alternative reality.

Sustaining this model

So people will be encouraged not to reproduce too much. To be good citizens. To play and find value in the alternative reality, and to avoid questioning the structure that has been set up.

Many Alphas will go on living regular, analog lives and getting value that way. Most Betas will do whatever they have to do to pay for their alternative reality subscription, or whatever perks and mods they want to enhance their experience with.

And many Alphas will do the same.

As time goes on, actually, the Alphas won’t have jobs either. More and more will be taken over by automation, and as this happens a higher and higher percentage of people will live inside the alternative life framework. The government/corporation will pay people to not have kids, and to be good consumer citizens who provide value in-game.

Summary

In short, we kind of have two main options going forward in this soon-to-be hyper-separated class structure.

Give the unemployed and/or restless masses a diversion through virtual/augmented reality, or
Deal with the inevitable revolt from the 90% against the 10%.

There are many variables in play here, and some of them might add options to this list. But I don’t see them.

It’s going to be one or the other (or some combination).

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

The left and center of this country used to think that the biggest calamity to befall the country was half of the population thinking Trump would be a good president.

That’s no longer news, because it’s been bumped off the top spot by something even more depressing: close to half the country actually thinks he’s doing a good job.

I feel like the left is criminally out of touch with how half of the country thinks, and that’s a real problem.

I think most of the left still believes that this massive mistake was made, and that everyone hates Trump but it’s too late to do anything about it. So now we’re stuck with him.

But, as of today, 43% of the country isn’t stuck with anybody—they’re liking what they see.

Every once in a while I hear something he’s doing that I agree with, which is usually around breaking up some horribly maligned system that has been impotent and corrupt for years or decades. Trade with China is one. Can’t remember any others.

But most everything I hear from him generates physical wincing, like I just swallowed a mouthful of rotten meat that I know is going to make me sick for days. The budget where he cuts a whole bunch of things that have very little cost, and adds to the one thing where we’re spending too much. The inability to act like a human, let alone a U.S. representative, when talking to foreign leaders. The healthcare move.

What he’s doing reads to me as 10% positive, “shake it all up” vibe, mixed with 90% botched and horrible.

Oh, and the conflicts of corrupted interest.

Anyway, that was a tangent. My point is that the real problem isn’t Trump. The real problem is that half the country thinks he’s doing a good job.

Like I said before, “It’s the people, stupid.”

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Lots of regular, educated people are incensed about the fact that Republicans reject man-made climate change.

The biggest frustration is that their opinions seem immune to evidence, and yet the solution seems to be presenting even more.

It doesn’t work.

But there’s a precedent here that tells us everything we need to know: Republicans don’t even believe in evolution.

As the chart above shows, 48% of Republicans in 2013 believed that,

Humans and other living things have existed in their present form since the beginning of time.

I suspect those numbers are higher in 2017 than they were then.

Climate science is hard. It’s complex. And frankly, scientists are not doing a good job at all of making their case in a clear and simple way.

But evolution?

Evolution is the standard for rock-solid theories as judged by unbelievable amounts of evidence that continue to collaborate the only possible explanation for our observations.

It’s simply obvious to anyone with an open mind and an education. But half of Republicans reject it.

My explanation is this:

They’re not open-minded.
They’re not educated on the science (because they’re not open-minded).
They know evolution is the liberal explanation, and they don’t want to agree with liberals because it means possibly endorsing their worldview as well.
It goes against the Bible.

Number 3 is a big one. There are tons of studies showing that people don’t accept evidence when the implications of accepting it would lead to policy they don’t want.

Liberals have this problem with evidence that having more guns doesn’t necessarily lead to more gun violence. They reject these numbers because they don’t want more guns. Conservatives have this problem with evolution and climate change because they think a consensus will lead to changes in schools, more taxes, more government control, etc.

Summary

The main point is this: if we can’t get half of Republicans to accept evolution—which is clear fact at this point—then there’s virtually zero chance of getting those same people to accept something with a worse narrative and far more political implications.

Additional evidence is not effective in convincing people who have an idealogical reason to reject that evidence.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

I was talking to my friend Mark the other day about the election and stumbled upon a realization.

There are two primary forces that pushed most of rural, white America to vote for Trump.

The disappearance of blue-collar jobs.
Overzealous political correctness.


The loss of American Jobs

The jobs have gone away and aren’t coming back. This has nothing to do with politics—it’s simply progress. American manufacturing output hasn’t fallen—it’s actually increased. Only manufacturing jobs have fallen, and that’s on account of automation. Hiring more humans to do manufacturing work would hurt manufacturing, not help it. This is true because machines are simply more efficient.

This concept of progress being both a) inevitable, and b) bad for human workers is not something middle America understands. They seek an enemy to blame it on, which leads us to the next point.

Too much of a good thing

The far left has turned political correctness and outrage into a sport. They’ve taken something good and necessary and morphed it into an extremist spectacle, and middle America cannot stand it.

What happened should have been expected: rural America combined these two things together, and assigned the blame for the first on the authors of the second.

Every single day they’re slapped in the face by a maligned version of political correctness, like 1,000 paper cuts, and at the same time they can’t find work.

It must be them.

I’m sure there are far deeper and more nuanced descriptions of what happened in the election, but I like abstraction to simplicity. They knew for sure that the liberals were responsible for one thing they hate (PC), they couldn’t find the cause of the second one (Job Loss), so they blamed them for both.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

This week’s topics: The Vault7 CIA dump, Russian shenanigans, Dahua, Verifone, mandatory genetic testing, WordPress, atomic storage, Google Kaggles, presenting at HouSecCon, fasting research, data wars, chaos, voice interfaces, tools, projects, and more…

This is Episode No. 69 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.

The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.

The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to here or read below.

Infosec news  





Wikileaks released a massive dump of CIA files, now called Vault 7, to the public last week. The core of the content was information on various techniques the CIA could use to gain access to target systems, including Android, iOS, consumer routers, consumer Smart TVs, etc. The leak has spawned massive discussion on the internet about how new or old the exploits/attacks were, who the likely source of the leak was, whether Russia was involved, etc. The biggest misconception that came out of the whole thing was that they had hacked Signal and other secure messengers. They didn't. They hacked Android, which allowed them to steal the information before it got to Signal, et al. Anyway, my personal opinion is that this is most likely a continuation of the Russian campaign to discredit attacks on Trump, and thus to improve Russia's position in the world. Link



Russian espionage and Russian cybercrime appear to be more linked than most people thought. Evgeniy Bogachev is a known cybercrime player out of Russia, but he's also been implicated in a lot of the election-related activity from last year. He also appears to live quite comfortably within Russia, much like a prized asset as opposed to an unwanted criminal. Interesting analysis from the New York Times. Link



Verifone, the largest maker of credit card terminals used in the United States, is investigating a break of internal networks that might have impacted numerous companies running its POS solutions. Verifone is saying that it was merely an internal network breach and that it didn't affect their payment system products. Link



Brian Krebs reported that Dahua, the second largest IoT manufacturer of things like security cameras and DVRs just patched a major hole that allowed attackers to completely bypass authentication in some significant percentage of their devices. You could basically request the password list for any device, get a list of users and hashes back, and then send any of them in your own request to get access. Link



A House committee has proposed a law requiring employees to undergo genetic testing as part of workplace wellness programs, and will allow penalties of up to 30% of the cost of the insurance if they don't provide the data. Link



A major vulnerability was found in Apache Struts 2 web application framework last week, and scans were very active looking for vulnerable targets. The flaw was in the Jakarta multipart parser upload function, and it let an attacker send a malicious content-type value and execute arbitrary system commands. Make sure you're patched. Link



WordPress issued a new release (4.7.3) to address six vulns, including some XSS, a URL validation issue, file deletion, and a CSRF issue. Patch early, patch often. Link



Consumer reports is adding cybersecurity to their list of rating criteria. The layout for the requirements looks pretty decent as well. Link



An Intel Security report says 93% of companies have security strategies, but only 49% are fully implementing them. I think 49% is quite high. Either they didn't respond truthfully or their strategies are really weak. If half of the companies I went to had a security strategy and were fully implementing it I'd be overjoyed. It ain't true. I'd put that number closer to 5%. Link



Cornell did some interesting research on mobile MAC address randomization. They claim they can defeat randomization on Android with 96% accuracy using one technique, and all main platforms leveraging a previous vulnerability. Link



CA bought Veracode for $614M. So let me get this right: Fortify is being sold to Microfocus. WhiteHat is basically dead because all their talent left. And now Veracode has been sold to CA, which means we probably won't hear much from them anymore. Who's left? CheckMarx has to be loving this. Link 



InfoSec Sales Engineers evidently make between $180K and $220K, making them higher paid than security engineers and cloud security engineers. It's evidently the need for a combination of skill sets, including technical skills, soft skills, and (although they didn't mention it) the willingness to travel and interact with customers constantly. Link





Technology news                                                    





IBM researchers have found a way to store data on a single atom. Link



IBM has over 600 employees working on the possibility of replacing bloated and unwieldy supply chain documentation with blockchain technology. Walmart and Maersk are among the companies who are interested. Link



Twitch, an Amazon company, has started rolling out a Twitter-like competitor called Pulse. It's not quite a Twitter clone, though, because it's really meant to just magnify Twitch content, so it ends up looking a lot like a combination of a push-based RSS system, a sharing platform for Twitch media, and a commenting system. Link



The head of the largest advertising firm says Amazon is a major threat to them. I think it's very smart for them to realize this. It's the Google for products, and Amazon is just scary good at almost everything they touch. Link



Google has purchased Kaggle, a company that hosts data science and machine learning competitions. Link



AT&T and T-Mobile are in the middle of a massive rate plan battle that is really making it nice for customers. They're especially focused on unlimited data plans. If you're a customer of either of these companies, and especially if you use your plan for tethering, consider going in to see if you can upgrade to a better / cheaper plan. Link





Human news                                                  





There's a bunch of new research on the benefits of fasting to the human body. This study talks about alternate day calorie restriction, where you eat far fewer calories one day, and then far more the next. It's early, but this appears to be some of the most promising research on weight loss and immune system health in a long time. Link 



Researchers are finding increasingly interesting links between sleep, sunlight, and depression. Link



Children prefer reading books on paper rather than screens. Link



Deep Learning is helping hearing aid users pick out voices in crowded rooms. Link



Why Facts Don't Change Our Minds Link





Ideas





The Bifurcation of America: The Forced Class Separation into Alphas and Betas Link 



First and Second Order Chaos Link



A Response to Benedict Evans on the Limitations of Voice Interfaces Link



Voice Interfaces Are a Combination of Voice Recognition and NLP Link





Discovery





Why the Future Doesn't Need Us. One of the first essays I ever read on the topic of future technologies and how they might affect humanity. It's from 2000 and written by Bill Joy. Highly recommended. Link



AuthMatrix — A Burp extension that provides a simple way to test authorization in web applications and services. Link



How to permanently update Burp's attack strings by editing the .jar file. Link



An interesting little visualization of different infosec career jump points. Link



MobSF — A mobile security testing framework. Link



Gartner's AppSec Magic Quadrant Analysis. Link



Bloodhound — Uses graph theory to reveal hidden and often unintended relationships within an Active Directory environment. Link



Fascinating relationship analysis around Trump, his associates, and Russia. Link



Some fantastic analysis by Robert Graham on the CIA leak. Link



A quiz to learn about your personal circadian rhythm. Link



An in-depth study of over 10 years of Java exploitation. Link



NAND has released a fascinating study on 0-day and exploit data and how much harm is caused by various entities sitting on them vs. releasing them. Link



Bash Bunny — Hak5's latest pentest tool. It emulates trusted USB interfaces like ethernet, serial, flash storage and keyboards, etc., and as a result it receives tons of sensitive data from the system. Link



How online gamers use malware to cheat. Particularly interesting to me since I'm currently working on a game security project. Link



System Design Primer — Learn how to design large scale systems. Prep for a system design interview. Link





Notes





I'll be presenting at HouSecCon with my buddy Jason Haddix on the 23rd of this month. The presentation is on The Game Security Framework, and we're going to be talking all about the project's structure, the data we have so far, and where we're taking it. Link



Getting closer on my OSINT primer. I have onsite customer work next week, but I'm hoping to still finish it within a week or so. 



I'm almost done with Sapiens and I'm moving on to Homo Deus, by the same author. By the way, it's Deus (as in the second version of humans), which makes more sense than what I mentioned in the podcast last week.



I finally removed the single ad I had on my website and moved to a sponsorship model. The site is currently sponsored by Netsparker, a strong web application scanner I've used off and on for many years. It's nice to not have an ad network (JavaScript) running on the site anymore, even though the one I used wasn't bad at all. Now it's just text and a link—super clean. If you need a good web scanner, head over to my site's sidebar.




Recommendations





Remember to focus on your Eulogy attributes, and not just your Resume attributes. If you were to die tomorrow, and your eulogy were next week, what would people say about you? Are they the things that you would want them to say? Take the actions that would make that the case.





Aphorism





"Extraordinary claims require extraordinary evidence." ~ Christopher Hitchens

Thank you for listening, and if you enjoy the show please share it with a friend or on social media.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

There is something monumental and transformative happening in the United States that very few people are even aware of. It’s been written and talked about for decades, but the conversation is always so academic that it never reaches those who need to hear it most.

Our country is in the process of being ripped into two distinct classes—The Alpha Class and the Beta Class.

I use these names on purpose because they sound classist. They sound as if they imply superiority and inferiority. They sound judgmental. As someone born and raised in the SF Bay Area, they sound offensive. And that’s a good thing; I’ve grown tired of sneaky euphemisms for the extraordinary restructuring of society that’s happening all around us.

The lie we’ve been told

Tens, or maybe hundreds of millions of people in this country believe a horrible lie that goes something like this:

You can get ahead by working hard even if you’re not exceptional. Get a high school diploma. Get a college degree. The degree doesn’t really matter—there’s work out there for you. You won’t be rich, but you’ll have a good life. You’ll be part of the “middle class”, and you’ll have a happy family, time off, sick time, vacations, and you’ll grow old and have a decent retirement.

It’s a filthy fucking lie, and people who believe it are walking themselves (and their children) right into a wood chipper.

Alphas and Betas

The reality is that there are two classes: The Alphas and the Betas. If you don’t know which you’re in, you’re probably a Beta. Here’s how they break down.

The Alpha Class
Members of the Alpha Class are smart, lucky, social, have rich/connected families, or are otherwise imbued with genetic or environmental gifts (another form of luck) that helped them succeed. Most went to a four-year college (at least). Most have good self-discipline.


Most come from good families that insisted on both the discipline and the college. Others are exceptionally bright or talented and succeeded due to a combination of luck and hard work. Whatever the combination of factors, Alphas command salaries of at least $120,000 per year.

Alphas live the lives that America promised. They tend to have one main, high-paying job, although they may do other jobs for fun and/or extra income. They have health insurance. They have sick time. They have some level of control over the type of work they do, and how they execute that work.

Alphas are free to consume the best in life. They enjoy the cinema. They buy electronics. They buy brand name clothing and accessories. They lease vehicles, because they only keep them for a few years anyway. They have good credit. They can get a loan whenever they want to. They have a retirement strategy.

The Beta Class
Members of the Beta Class are less intelligent, less lucky, less social, come from poor and/or uneducated families, or are otherwise lacking genetic or environmental gifts (another form of luck) that would have helped them succeed. Most did not attend a four year college, and many lack self-discipline because they did not come from good families that insisted on both of these.


Others are simply not very smart and cannot adjust to the constantly changing environment at work or in life in general. Whatever the combination of factors, Betas make less than $75,000 and often no more than $40,000 per year.

Betas live in a world of struggle. They either don’t work (a massive number of Americans not only don’t have a job but aren’t even looking), have a single, low-paying job, or they have many low-paying jobs because they’re extremely hard working. They tend not to have good health insurance, if they have it at all. They have very little sick time, or couldn’t afford to use it if they had it. They have very little control over the work they perform, and are frequently treated horribly by management at work, e.g., being given just enough hours to not qualify for benefits.

Betas enjoy very little in life. They can’t afford to spend money on restaurants, movies, and other entertainment. They can’t buy the latest and greatest gadgets on TV. They buy second-hand and off-brand clothing. They buy used vehicles because they don’t have the credit to get into a lease. Getting a loan is a nightmare, unless it’s at the local check cashing establishment. They have little or no savings or retirement.

Rejecting the lie and embracing reality

So with that brief and imperfect introduction to the two remaining classes in America, allow me to relay some difficult truth.

If you are in high school and you don’t yet have plans for your future, you’re about to enter the Beta Class.
If you are raising children and you haven’t prepared them with a college education, they are about to enter the Beta Class.
If you are in high school and “just kind of hoping things will work out”, you’re about to enter the Beta Class.

Essentially, if you’re not actively defending against being part of the Beta Class, then that’s where you’re going.

TABLE 1. — Alpha numbers shrinking in coming years.

My prediction is that the number of people in the Alpha Class will continue to shrink in coming years as the middle is completely destroyed, leaving everyone else in the Beta Class. Beta is the new default, in other words, and Alpha is something you hope to achieve through some combination of preparation, hard work, and luck.

Waking up

I’m going to state the severity of this problem as clearly as possible:

Alphas are those who enjoy American society, and Betas are those who support them doing so.

Alphas regularly eat in restaurants. Betas serve them food and wash their dishes.
Alphas drive expensive cars. Betas wash and service those cars.
Alphas buy expensive merchandise online. Betas answer the phones when they have problems.
Alphas have passports and travel the world. Betas work in airports and drive them to their destinations.

I hope you’re as sickened by reading that as I was by writing it. Get mad. Feel something. Wake the fuck up. Tell everyone you care about. This is happening, right now, all around us.

So, what can we do? I have a few recommendations:

Focus on what you can do to get ready. Vote, become a protester, enter politics, whatever. But don’t confuse those actions with preparing you and your loved ones for the world that is already here and that’s quickly becoming more severe.
Take the evil out of it. You can burn a lot of energy focusing on this group or that group that’s responsible because “they’re evil and they want to destroy America”. It’s a lot of bullshit. The number of historical, economic, and social factors leading to this reality is unbelievably massive, and it’s most definitely not because of the damn Liberals or the damn Republicans. Remove the emotion and focus on action.
Spread this message. It’s not enough to get this yourself. Help others realize that, no, it’s not “just going to work out”. Let them know that the default state is Beta, and that it won’t be pleasant.

I truly hope this essay helps someone see what’s coming—especially those who are bringing new lives into this world.

Notes


I do information security for a living, so take this for what it is—a potentially useful mental model for evaluating the world and how best to live in it. The numbers and estimates are just that—estimates—based on little more than lots of reading and thinking by a semi-intelligent, non social scientist / historian. This is not a theory, and it’s not data. It’s an idea with numbers.
I mention America specifically because I live here and know it best, but this is actually a global phenomenon. Some countries with high social and income equality will maintain a third, middle-ish class because of this, but I haven’t any idea how long that will last.
I obviously have no idea exactly what the exact Alpha/Beta numbers are, or the exact year that they’ll reach a particular number. It all depends on a) how you classify Alpha and Beta, and b) data from the real world that determines how many people are in each. Neither of those are easy to capture. My argument is simply that the numbers useful at the level of accuracy they have. But if you have a good argument that they should be higher or lower, I’d love to hear about it.
Some of the books and articles I’ve read that have informed my opinion on this include: Sleeping Giant, numerous articles by Yuval Noah Harari, Why the Future Doesn’t Need Us, Humans Need Not Apply, and dozens of other similar pieces.
You’ll notice there’s a big gap between the $75,000 and $120,000 salaries I mention here. This is for a couple of reasons, but the biggest one is that I think there are about to be far fewer mid-level positions and salaries. More and more people will either go up or down, and most will go down.
I tried to make this very clear in the text, but if you know any of my views on free will you’ll know that I place no specialness on Alphas, or judgement on Betas. I believe it’s *all* a matter of luck, including the go-to explanation from conservatives of “hard work”. Where do you think you got that work ethic from? It was either genetic or it came from your environment, and neither of those were up to you. So I see all of this as a description of reality, not a judgement of those in it.
There are obviously some remnants of a middle class that makes little money, isn’t college educated, etc., but that still has savings and a retirement. But it’s a dying class that’s being replaced by the two above.
There are many different types of people who make less than $75,000 per year, and some of these descriptions apply to one group and not another. In general terms, there is a working class that’s poor despite both parents working multiple jobs, there are people who are actively seeking and not finding work, there are those who were working but have now given up and live at home or with friends, and there are those who are simply taking as much as they can from the government, with no intention of working.
Before all my conservative friends complain, yes, I am aware that there is another class that is Beta on purpose. They take as much as possible, use government benefits to their advantage, etc. It’s a welfare class and it’s well documented. While it’s definitely true and a factor to some degree, the numbers are actually rather small compared to those who are not working but not receiving benefits, or those who are working but not making much money. So yes, it’s a real topic, and a problem to be solved, but not one that affects this model.
I’m getting the top 15% salary of $120,000 per year from here. That of course doesn’t mean it’s going to represent the Alpha Class permanently, but it’s a good start.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Benedict Evans wrote a great piece about voice interfaces where he argues his position that voice interface isn’t quite the future of computer interface that we think it is.

He mentions a few constraints.

Given that you cannot answer any question, there is a second scaling problem – does the user know what they can ask? I suspect that the ideal number of functions for a voice UI actually follows a U-shaped curve: one command is great and is ten probably OK, but 50 or 100 is terrible, because you still can’t ask anything but can’t remember what you can ask. The other end of the curve comes as you get closer and closer to a system that really can answer anything, but, again, that would be ‘general AI’.

The interesting implication here is that though with enough money and enough developers you might be able to build a system that can answer hundreds or thousands of different queries, this could actually counterproductive.

Source: Voice and the uncanny valley of AI — Benedict Evans

Here he’s basically saying that the axe has a blade for a handle—the more work you get done (by adding more and more commands), the more damage you do to your hands (because nobody will be able to remember those commands).

There’s a set of contradictions here, I think. Voice UIs look, conceptually, like much more unrestricted and general purpose interfaces than a smartphone, but they’re actually narrower and more single-purpose. They look like less friction than pulling out your phone, unlocking it, loading an app and so on, and they are – but only if you’ve shifted your mental model.

This is where I think he’s wrong. It’s not a matter of “if” we shift our mental models; it’s a matter of when.

As he talks about elsewhere in the piece, Google and others are working on populating their systems with hundreds or thousands of the most common commands, and ensuring that the responses to these are rewarding and useful.

That’s all that needs to happen. Alexa has a small number of commands it can do, but it can do them really well. And when it fails, it fails gracefully.

Siri is the opposite. It makes you feel like you can say anything, but half the time she doesn’t understand you, and the other half she does something stupid even when she does. This hurts peoples’ confidence in the voice interface, and keeps it from becoming their default.

Minimum viable confidence

There is a confidence number—let’s call it 90%—where people will use voice for most things by default. Alexa is nailing the execution, but lacks the depth. Siri is lacking on both. So let’s say we’re somewhere around a 60% right now on this confidence score.

All it will take to hit that magic 90% is one or more companies to use the Alexa approach and competently solve the top n number of most common queries. And like Benedict said, it’s already being worked on.

Humans are relatively static animals, so the number of scenarios we’re talking about is relatively small. I have no idea the actual number, and I’m not sure anyone does, but I’m guessing it’s several hundred to a few thousand.

Once we hit that number—with Alexa-level quality—we will also hit the 90% confidence level that people have with voice interfaces, and it will then become a default for most daily tasks.

It’s true that some tasks don’t work well without a visual component that allows you to quickly scan lots of data and make a selection. Benedict gives the excellent example here of booking a flight. But I have a few counters for this point.

Most day-to-day activities that you could use your assistant for aren’t in this category.
There will be workarounds for this, such as detecting whether you have a display available and failing gracefully when that’s the case.
Using machine learning to make intelligent guesses about what you would have chosen if you’d had the visual interface.
Having a hybrid voice/display interaction available for when displays are available that make voice even more attractive. Gesture and eye-tracking tech will enhance this even further.


It’s only day zero

Finally, I think the most important thing he’s missing is the absolute Day Zero nature of our current offerings. Alexa wasn’t in homes three years ago. Five years ago, facial recognition and Go and Poker were untouchable by computers, and it was assumed that this would last for decades (or forever).

That was basically yesterday.

So it seems extraordinarily likely to me that mapping the top n number of daily human task requests—and reaching the “minimum viable confidence level” in voice interfaces—will happen within the next five years.

That is to say that people with Alexa-like devices (and perhaps their mobile devices as well) will have made the transition to voice-first as their default method of interacting with those systems, and that pushing and poking will be considered a fallback position when in a home setting.

We don’t need to solve every problem. We only need good enough. It’s a one or zero—we’ve hit the magic confidence requirement or not. And if we had Alexa-level responses to most everything we need during the day, that would get us there.

I take all Benedict’s points, but I think we’re so early in the game that we’ll find ways to address them using various techniques. I think voice becomes a natural and default interface for home-based computers within five years, and that mobile will come soon after.

Notes


There is an interesting facet of this that will keep mobile push-and-poke for far longer: solitary mobile browsing probably makes up some massive percentage of total computing time. People sitting on a subway train aren’t going to be using voice. They’ll be pushing and poking just like they have been. So it’ll be interesting to see how people manage both paradigms in their minds, i.e., voice for issuing commands at home and while alone on mobile, but still manually swiping and typing when looking at Facebook, Reddit, etc. among others, at work, in line at the market, etc.
I’m also not sure the Uncanny Valley analogy works well here. To me that would apply if the responses returned by a voice interface were almost right, but not quite, and the effect produced an uncomfortable sensation in the user. An example might be giving back a perfect set of words, but with the wrong tone. Or saying something formal while using informal language. It’s basically a near-perfect execution that makes it worse because it’s so close but not quite. So I don’t think the issue of not remember what commands to use would apply there.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

I was just reading Sapiens, by Yuval Noah Harari, and he mentioned something interesting about chaos.

There are two main classifications of chaos.

First Order Chaos doesn’t respond to prediction. The example he gave is the weather. If you predict the weather to some level of accuracy that prediction will hold because the weather doesn’t adjust based on the prediction itself.
Second Order Chaos is infinitely less predictable because it does respond to prediction. Examples include things like stocks and politics.

Basically, the first kind you can apply science to and end up with predictable behavior (within limits) even if the phenomenon is chaotic. But the second type is extremely resistant to this when the results of the predictions are available to others to respond to.

I think it’s super interesting, and useful, to recognize the difference between these two types of unpredictability.

Notes


Image from worldofpiggly.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

As we all know, there are two main components to risk: 1) the chance that something will happen, and 2) how bad it would be if it did. Or, probability and impact. For the last 20 years, in both terrorism and information security, we have focused on prevention (probability) and this effort has yielded some decent returns. But no longer.

We’ve simply reached Peak Prevention — a wall of diminishing return where we can multiply our prevention efforts by many fold and get no reduction in risk (and perhaps even an increase due to ever-advancing threats). 10 years ago we were at around 50% prevention maturity, and now we’re at roughly 90%. If we spend another 10 years and 10 trillion we can maybe get to 95%. But all that effort would provide only a small fraction of what we could achieve by making successful compromises less costly.

Imagine if we’ve said to the terrorists after 9/11 that we would start cleanup and rebuilding the following Monday. What if we told them that we lost that many people in car accidents the year before, and that innocent civilians are easy to kill. What if we told them that we would be just fine–that we’d pick ourselves up and continue on as if nothing had happened. No TV shows about the terrorists, no books, no attention. What if we told them that they’d be dead soon, and that nobody would remember their names.

Had we done that we would have spent a few billion dollars, and had a tough couple of years. Instead, we reacted in the worst possible way, dealing a self-inflicted wound that has cost us trillions upon trillions. The attack didn’t hurt us that bad–our response did. What we need for terrorism is resilience, not more prevention, and the same is true for information security.

Imagine if we were to say that digital identities are easy to steal, and that social security numbers are already out there, and that they’re not as important as we thought they were. Or perhaps that corporate networks are too massive to perfectly defend, and that breaches are often inevitable. What then?

Answer: We would move from a paradigm of terror at the thought of a breach, and panic once one has been detected, to that of practiced, mature preparation and controlled response. In short, we may not be able to lower the probability value much more in the risk equation, but we can absolutely adjust the impact. And if the impact goes down, so does the risk.

In this world, the negative publicity from getting hacked comes only from negligence with controls and/or a poorly handled incident response or notification. As it becomes understood that highly trained, asymmetrically resourced adversaries will penetrate highly complex global networks and do harm, the taboo of compromise is all but removed.

In fact, we’re already starting to see that happen. In the last decade we’ve seen literally hundreds of publicbreaches, with a staggering number coming in the last few months alone. Some of these companies have been rocked by their incidents, while others are virtually unscathed after just a few short weeks.

What’s the difference?

The Role of Controls

Many who make a living in security probably don’t want to hear hat we’re about to switch to a resilience paradigm from one of prevention, as it seems to almost trivialize compromise.

Nobody will care if they get hacked!

But that’s not true.

The difference between a company that goes on to be successful after a breach and one that suffers immeasurably is that the former had the controls in place and the later did not. And I’m not just speaking of a few technical controls: I mean a robust, highly mature information security program that has not just the technology but also the processes and training to respond properly when something does take place.
So the security industry will be just fine. The difference is that companies who are judged to have done everything right, but still got hacked, will not suffer the shame that is still associated with being compromised. This will become commonplace, and an accepted part of doing business in the 21st century. The stigma is falling away.
The only question will be whether or not you had your shop in order when it happened, and whether you responded appropriately. Consumer confidence in your company, and your stock price, will reflect this truth.

Two Approaches to Reducing Impact

Once we’ve accepted that the future path of risk reduction lies in reducing impact, we can start to look at ways to accomplish that. I see two primary ways to do so:

Significantly Reduce the Impact of Common Compromises

This portion of the solution will have many technological components, including an idea I got from recent password compromise issues. I believe the networks of the future will store their data in a decentralized way that makes common compromises virtually useless.

In other words, access to data as a result of a low to mid-level compromise will not yield anything of use to attackers because they’ll only have a tiny percentage of what’s required to make the data usable. And getting the other requisite pieces would require failures across multiple other areas in the company’s defenses.

Savvy readers will know that this will not thwart attackers completely, and that they will move their attacks to locations and users who can access the complete data set (someone has to have access to it, afterall). We’re already seeing this today, actually, but this is not a reason to abandon this approach. The fewer the systems that grant access to the real data, and the more effort it takes to get to the real data, the more time and chance we have of finding and stopping them.

Reduce the Value of the Data That is Stolen

This one is harder, but it’s still possible if enough people are involved and energy is put into it. Examples here could include modifying the requirements for getting a credit card, procuring a mortgage, etc. If additional factors (stronger factors) are added to the equation we could see the impact of SSNs or CCNs being stolen plummet significantly.

In short, not only make it less of an issue if you’re compromised, but make the leaked data less valuable as well. Again, this is something that’d have to be done at multiple levels, with multiple organizations helping, but any progress would be significant progress.

Conclusion

However it’s accomplished — and it’ll definitely be through a myriad of approaches — this shift is upon us. We’ve had a good run at catching the prevention unicorn, and we need to maintain our ground and continue to innovate in that area to some degree. But the true progress in future risk reduction will come from reducing the impact of breaches. The sooner we accept this the better.

Notes


This is a concept I wrote up many years ago, and a presentation that I’ve done a couple of times in the past. I’m simply consolidating the concept and the presentation in one place here.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

To a casual observer, it might appear that “voice interfaces” to computers—like Siri or Alexa—are a single technology space. In fact it’s useful to think of them as two problems combined.

First, the computer needs to fully understand exactly what you said. That means deciphering mumbling, removing background noise, handling different voices and accents, etc. That’s difficult, but we’re getting better at it.
Second, the computer needs to understand what you meant to do. This is difficult because it means translating and mapping that input to existing commands, and then executing them.

These are very different problems. The first one is called Voice Recognition, and the second is called Natural Language Processing.

[ NOTE: Natural Language Processing and Neuro-linguistic Programming share the NLP acronym, but they’re quite different. Most notably, Natural Language Processing is a real and developing science and Neuro-linguistic Programming is mostly debunked pseudoscience. ]

You can have a system that’s great at figuring out exactly what you said, even if you mumbled or have a thick accent, while speaking quietly on a subway, but has no idea how to turn your sentence into actions it can perform.

As an example, you might mumble:

Find a better song than this garbage.

If this system is limited with a few hardcoded commands, such as PLAY $ARTISTNAME, then the system will respond back with an error, or a request for clarification, because it didn’t hear the keyword PLAY.

Conversely, you could have a system that could perfectly understand that sentence, except when you say it—even in a relatively quiet setting—it instead hears:

Fire the buttress log on the garage.

Again, one side of the system let down the other side, and the system as a whole responds with an error or an additional prompt.

Both sides evolve together

The key point here is that the system is generally only as good as the worst side of this equation. Voice interfaces continue to become more usable because they’re advancing in both of these areas simultaneously, and they’re incorporating the improvements of each into new iterations.

Summary


Voice interfaces to computers require both voice recognition and NLP.
These are quite separate and it’s possible to be good at one and bad at the other.
The system overall can only be as good as the worse of the two.
We’re seeing improvements in voice interfaces because both sides are improving simultaneously.
The next time you interact with a voice system, and it fails, think about which of these to components was responsible.


Notes


I’m not an expert in this field, but I am willing to wager that each of these two categories (Voice Recognition and NLP) likely break into many others. I think it’s useful, however, to think about them as two components in many contexts.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.