Daniel Miessler's Blog, page 130

I think the post-work world is going to heavily favor those with high IQs, and I think this could be a major factor in the social tensions that will arise due to economic stresses.

IQ isn’t magical. It doesn’t guarantee success. But it does predict success, and I think the biggest reason for that is being flexible in new environments and situations.

And that’s precisely what will be needed when 25%, 50%, and 75% of work gets consumed by automation, machine learning, and robots. It’s not just a blue-collar problem; it’s a workforce problem. Investment bankers are being replaced by machine learning, accountants are being replaced by IBM Watson, and this is just the very beginning.

So who survives? Who finds a way to make money in this type of environment?

I think smart people do. Smart and creative.

It’s people who figure out quickly that they need to have a brand, to broadcast themselves, their many different skillets, to promote that package, market it, and ensure that you do good work to keep your reputation scores up.

You could be a programmer, a designer, a dog-sitter, or…whatever. The point is that companies will be firing employees on a massive scale. We seem to have forgotten that they exist to serve customers, not to employ people, and that they will shed every single employee they can in order to achieve that goal.

So what’s left is what individuals can market of themselves, and I think the key will be how well you can broadcast your abilities to others. Expect to see platforms emerge that serve influencers in this purpose. They’ll magnify them, find audiences, monetize audiences through micropayment and subscriptions, etc.

So, being an influencer is the future of work. Everyone becomes a mini Tony Robbins pushing their own services, regardless of what industry you’re in.

IQ is great for this. Creativity is great for this. Strong writing skills are great for this. Grit is great for this. These are the new attributes for success in a world where your payment comes from the quality of your output multiplied by how well you present yourself to the world.

People without IQ or creativity—which are often highly correlated—are going to be especially displaced and marginalized by the changes that are coming. And they’re going to be angry, vocal, and eventually violent.

Basic Income will help in the long-term, but there will be a significant gap between when we realize Basic Income is needed and when we can practically implement such a system at scale.

In the meantime expect those with the IQ and creativity to rise to the top and make a decent living, while the bottom 75-95% struggle mightily.

If you want to prepare young people for what’s coming, prepare them to market themselves as individuals. What are their core skills? Core attributes? Core messages. Core value propositions. If they can’t articulate those things, or don’t have anything to articulate, they will get left behind.

This is the future of work, and the smarter and more creative you are the better your chances to survive.

Notes


Another set of skills that will play well here are personality and physical attractiveness. Being super good looking, or funny, or good at performing in some way will be extremely marketable in this new economy, and we’re seeing this type of thing already in YouTube stars, etc. That’s not a fad; it’s the future of personal productivity.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

I think the post-work world is going to heavily favor those with high IQs, and I think this could be a major factor in the social tensions that will arise due to economic stresses.

IQ isn’t magical. It doesn’t guarantee success. But it does predict success, and I think the biggest reason for that is being flexible in new environments and situations.

And that’s precisely what will be needed when 25%, 50%, and 75% of work gets consumed by automation, machine learning, and robots. It’s not just a blue-collar problem; it’s a workforce problem. Investment bankers are being replaced by machine learning, accountants are being replaced by IBM Watson, and this is just the very beginning.

So who survives? Who finds a way to make money in this type of environment?

I think smart people do. Smart and creative.

It’s people who figure out quickly that they need to have a brand, to broadcast themselves, their many different skillets, to promote that package, market it, and ensure that you do good work to keep your reputation scores up.

You could be a programmer, a designer, a dog-sitter, or…whatever. The point is that companies will be firing employees on a massive scale. We seem to have forgotten that they exist to serve customers, not to employ people, and that they will shed every single employee they can in order to achieve that goal.

So what’s left is what individuals can market of themselves, and I think the key will be how well you can broadcast your abilities to others. Expect to see platforms emerge that serve influencers in this purpose. They’ll magnify them, find audiences, monetize audiences through micropayment and subscriptions, etc.

So, being an influencer is the future of work. Everyone becomes a mini Tony Robbins pushing their own services, regardless of what industry you’re in.

IQ is great for this. Creativity is great for this. Strong writing skills are great for this. Grit is great for this. These are the new attributes for success in a world where your payment comes from the quality of your output multiplied by how well you present yourself to the world.

People without IQ or creativity—which are often highly correlated—are going to be especially displaced and marginalized by the changes that are coming. And they’re going to be angry, vocal, and eventually violent.

Basic Income will help in the long-term, but there will be a significant gap between when we realize Basic Income is needed and when we can practically implement such a system at scale.

In the meantime expect those with the IQ and creativity to rise to the top and make a decent living, while the bottom 75-95% struggle mightily.

If you want to prepare young people for what’s coming, prepare them to market themselves as individuals. What are their core skills? Core attributes? Core messages. Core value propositions. If they can’t articulate those things, or don’t have anything to articulate, they will get left behind.

This is the future of work, and the smarter and more creative you are the better your chances to survive.

Notes


Another set of skills that will play well here are personality and physical attractiveness. Being super good looking, or funny, or good at performing in some way will be extremely marketable in this new economy, and we’re seeing this type of thing already in YouTube stars, etc. That’s not a fad; it’s the future of personal productivity.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

I’m deeply in love with history right now (and especially American history) due to my reading of the Hamilton biography. It’s over 800 pages, but worth it.

One of the things it has me thinking about is the disagreement between Hamilton and Jefferson about how to run a government, and a nation. In general, Hamilton was for a strong central government, a strong military, and big cities. Jefferson was all about strong state governments, less focus on military, and focus on rural areas. That’s an oversimplification of course, but they’re some of the key points.

What strikes me is that the question shouldn’t be which is right and which is wrong. I think the genius is that we have two very powerful models to work with in the first place. That’s progress enough.

No, I think the question is instead when to use which of the two.

I feel like there are phases and maturity levels for civilizations, and governments, and populations—and at any given time that group might need one while it will need a different one later.

My non-expert impression of this is that Hamilton is more right while there is youth and chaos, and that Jefferson is more right when there is maturity and wisdom.

In short, the more maturity you have, the more individuality and freedom should come with that. And the more raving and frothing you are, the more limitations you need in order to keep from harming yourself and others.

I think the parent and child metaphor works well here, although Jeffersonians will balk at it. “You’ll not treat me like a child!”, they’ll say.

Well, children need to be treated like children. Not because they’re inferior, but because we know they will eventually be equals and we want to see them make it to that age. So if you want to see them survive you have to place some limitations on behavior.

The trick is knowing when it’s time to remove those boundaries and enable full freedom, and the fear is that this is hard to do once the freedoms have been curtailed. I think it’s possible, though, and even more than possible—it’s essential.

It seems like there’s a natural progression we can witness.

At the earliest stage it’s all about freedom, because there’s no government to speak of.
Then there’s force-based control in small groups, like warring tribes.
Then there’s a dictatorship-type situation.
Then there’s an offshoot Jeffersonian government that goes rogue.
Then there’s a strong, central, Hamiltonian democracy.
Then, finally, once we’re all sorted out, we can get back to a Jeffersonian model of individual and local freedoms trumping the central authority (because they’ll largely be in sync).

I’m sure someone who’s read more about this can show me 114 books on this topic that cover it much better than I just did, and I’d like to read them. So if you’re one of those people, let me know.

I just find the Hamilton vs. Jefferson thing to be a false dichotomy. People need different types of government at different times, based on their maturity.

Notes


I never liked history as a kid, and I do blame my teachers in elementary school. Teaching without passion should be a crime punishable by unemployment.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

This week’s topics: My recap of RSA 2017, Google’s zero-trust implementation, Trump domain hacked, robots doing your taxes, the IoT Security train analogy, the future of authentication, toolswatch best tools of 2016, and more…

This is Episode No. 66 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.

The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.

The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to here or read below.

Infosec news  





My RSA 2017 Recap Link



Yahoo! is sending out another round of notifications to users saying there was an issue last year where attackers could create backdoor cookies using internally created software. This creates more questions than answers for me. Link



A U.S. company's toy called My Friend Cayla is a doll that can be controlled via speech recognition and over the internet via an app. Germany has classified the doll as an illegal espionage apparatus and have demanded that German stores stop selling it. The fallout from Snowden continues. Link



There's a new piece of Mac malware that's supposedly linked to the APT28 group that is said to have been associated with election related hacking last year. Link



Google shared their zero-trust network security implementation at RSA last week. Lots of companies talk about this, but they're actually doing it. And it's taken six years to get where they are. Link



IBM researcher Charles Henderson can still follow his car everywhere, even though he solid it a long time ago. Link



Researchers are warning that voice authentication is not good enough, and that it must be combined with other authentication types. I 100% agree. Link



Dutch researchers have found a way to undermine ASLR protection, which could make it much easier to create working exploits. Link





Technology news                                                    





A subdomain belonging to Donald Trump was hacked by someone who left a pro-Iraqi message. Secure2.donaldjtrump.com was evidently compromised through a DNS configuration flaw. Link



Apple has purchased an Israeli company called RealFace that specializes in facial recognition. I hope they don't go to this exclusively, as I think it's going to be a lot more error-prone than TouchID. Link



Google Fiber is shrinking massively as it prepares for new connectivity deployments to be mostly wireless. Link



The cost of manufacturing carbon fiber has fallen massively, and the price to consumers is about to follow. Link





Human news                                                  





Robots will soon do your taxes. Those jobs are just about gone. Link



Bill Gates is quite worried about bioterror. Link



We don't understand consciousness, and we don't understand quantum physics. Some researchers are starting to ask if that's more than a coincidence. Link



26% of American adults haven't read a book in the past year. I suspect the problem is far worse than that. Link



The extreme nerdiness of hand-drawn infographics. Link





Ideas





IoT Security's Train Analogy Link



Violence and Terror Are Not the Same Link



My article from 2015 on the Future of Authentication Link



With Machine Learning, Batteries Are Often Not Included Link





Discovery





The ToolsWatch best security tools of 2016. Link



An unbelievably great deck by Momentum Partners on big moves in the InfoSec space. Link 



DataSploit: Performs various OSINT techniques and organizes results visually and into usable data. Link



A great presentation on starting in IoT hacking. Uses the IOT Security Project that I lead. Link



Combining OpenCanary and DShield. Link





Notes





Here are the slides from my RSA talk on securing Medical Devices using Adaptive Testing methodologies. Link



Here are the slides from my IOAsis talk on implementing Honeytokens throughout the stack without a budget. Link



I'm going through the RSA 2017 vendor list and condensing each interesting technology company into a single sentence. I need someone to pick an alphabet letter and help me clear out the list. I'm currently in the D's (lol). If you want to volunteer for a letter, ping me at danel@danielmiessler.com. Link



I'm about halfway done with the Hamilton biography, and I've just purchased the Federalist Papers as well, which I'll read next. Link





Recommendations





Ensure that your backup strategy is resistant to malware. In other words, if ransomware malware can get to your backups, then you might as well not have any backups.





Aphorism





"By doing just a little every day, you can gradually let the task completely overwhelm you." ~ Unknown

 

Thank you for listening, and if you enjoy the show please share it with a friend or on social media.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Every year I try to recap what I saw and did at RSA, so here’s the capture for 2017. It won’t be comprehensive, but should get most major things.

Impressions


Things are just fine for companies selling products, but not so great for the companies using them.
We continue to under-emphaize fundamentals, and we get hacked as a result.
I was hoping this year would see more companies talking about resilience instead of prevention, but I didn’t get that impression from the floor or from the vendor list.


Activities


IOAsis: This was my second RSA at IOActive, and this year was both more stressful and more excellent than last year. The IOAsis, for those who don’t know, is an off-location event that IOActive puts on at the major security conferences, and basically serves as a getaway from the main event where there are too many people. This year I had a couple of panels, a couple of talks, and a ton of customer meetings and media interviews. Lots of stress, but lots of productivity as well.
Hanging with Friends: What I look forward to most is seeing my friends and co-workers all in one place.
Vendors and Networking: RSA to me is a sales, vendor, and networking conference. It’s a chance for me to see the various vendors and what they’re selling and a chance to see all my security friends who I only see a couple of times a year.
Speaking: I spoke at RSA on Thursday on the topic of testing Medical Devices, and the slides are here.


RSA Vendor Categories

RSA organized their vendors into the following spaces, which I found interesting enough by itself.

Analytics, Intelligence, and Response
Application Security & DEVOPS
C-Suite View
Cloud Security and Virtualization
Cryptography
Governance, Risk, and Compliance
Hackers & Threats
Human Element
Identity
Law
Mobile and IoT Security
Policy & Government
Privacy
Professional Development
Protecting Data & Applied Crypto
Technology Infrastructure & Operations


My Vendor List

I didn’t get to walk the floor as much this year as I normally do, but I did see or hear about a few key ones. My favorite types of technologies right now are based around data analysis, biometric authentication, attack surface and risk visibility/scoring, and deception.

What I’ve done here is gone through the RSA 2017 Vendor List and capture vendors that I found interesting in some way. If I already know the vendor and/or think it’s common knowledge, I probably didn’t list it.

These are meant to be those that are new or noteworthy in some way.

[ NOTE: These are my own hyper-concise summaries for these vendors and many could be inaccurate. I created this list either based on my own experience with the vendor or by reading the short summary they had published on the RSA site. Don’t take it personally if I mangle a product you’re close to; reach out and I’ll fix it. ]

Acalvio: DEVOPS integration of Deception technologies.
Adlink: IoT UTM device.
Agari: Enterprise phishing defense.
Akips: Virtual network monitoring appliances.
AlgoSec: Security policy management across cloud, on-prem, SDN, etc.
Allegro: OEM-focused embedded device software security.
AllthatSoft: Mobile application defenses, including obfuscation.
Anomali: Adversary detection through realtime threat indicator correlation.
Appthority: Mobile risk analysis and analytics.
Apricorn: Portable USB storage security.
Aqua Security: Virtual container security.
Armis: Wireless/IoT security.
Arxan: Application self-protection.
Attivo: Deception-based threat detection.
Auth0: Simplified SSO.
AvePoint: Protects O365 and SharePoint data.
Ayehu: IT automation and orchestration.
Baffle: Reduces impact of breaches by encrypting all data.
Balabit: Privileged user monitoring and user behavior analytics.
Bandura: GeoIP-based filtering.
Bastille: Security for the Internet of Radios.
Bay Dynamics: Prioritize enterprise security activities based on risk.
BehavioSec: User behavior analytics.
BigID: Helps enterprises secure the personal data they store.
Biscom: Enterprise data transfer technologies.
Bitglass: Real-time CASB.
BitSight: Security ratings for companies based on many factors.
Bivio: Counter-threat technologies with many Federal customers.
Blackduck: Understand the risk of the open-source software you’re using.
Blueliv: Scrapes the deep/dark web finding information on your organization.
BlueTalon: Data-centric security focused around noSQL technologies.
Bradford Networks: Reduces malware containment time.
Bricata: Modern NGIPS-based threat detection.
Bromium: Application isolation technology.
Bufferzone: Virtual container technology.
Buguroo: Cyberintelligence based on static analysis, vulnerability management, fraud detection.
Carbon Black: Next-gen endpoint security.
Catbird: Software defined network microsegmentation.
Cavirin: Security and compliance across physical, public, and hybrid clouds.
Cavium: High-throughput network gear.
Centri: Data security for the Internet of Things.
Centrify: Secures enterprise credentials and systems through centralization.
Centripetal Networks: Threat Intelligence gateway.
CheckRecipient: Ensures sensitive data isn’t sent to the wrong people via email.
Cloudera: Data management and analytics.
Cloudlock: API CASB.
CloudMask: Track and protect data throughout its lifecycle.
CloudPassage: Visibility and protection for servers in any environment.
Cobalt Labs: Trusted, crowd-sourced pentesting platform.
Code42: SaaS provider of endpoint data protection.
Corax: High-level risk metrics that enable better decision-making for your organization.
Corelight: Bro-based network monitoring.
Corero: Realtime, high-performance DDoS defense solution.
Counter Craft: Automated deception-based counterintelligence campaigns.
CounterTack: EDR technologies.
Covertix: Find, classify, and protect sensitive data as it travels.
Covisint: Identity for the Internet of Things.
CradlePoint: Software-defined, always-on connectivity based around 4G LTE.
CrossMatch: Risk-based authentication by user and context.
CrowdStrike: Endpoint protection, threat intelligence, and response.
CryptoMove: Active defense.
CryptoSense: Identify and remove crypto-based bugs in software.
Cryptzone: Software-defined network access solutions.
CSPi: Cyber-threat detection and solutions.
CTERA: Secure file services within the cloud.
Curtail Security: Identify zero-day through software-based traffic analysis.
Cybellum: Zero-day protection platform.
CyberArk: Enterprise credential and privileges control.
Cybereason: Detection and response using big data, behavioral analytics, and machine learning.
Cyberfend: Defends stolen credentials.
CyberOwl: Early warning system for high value targets including IoT.
Cyber Triage: Endpoint-based incident response software.
Cybric: Continuous security-as-a-service platform for SDL.
CYBRScore: Measure’s a user’s ability to defend a network.
CyKick Labs: Defends web applications with machine learning, big data analytics, and machine learning.
Cylance: Machine learning based endpoint protection.
Cymmetria is a cyber deception startup.
Cyphort: Integrate with security tools to discover and contain advanced threats.
CYREN: Cloud-based proxies and sandboxing.
Cytegic: Cloud-based cybersecurity management solution for risk management.
D3 Security: Incident response and case management.
Daon: Developing and deploying biometric authentication.
Dashlane: Access management.
Datablink: Advanced authentication and transaction signing.
DataLocker: Hardware and cloud-based encryption solutions.
DataSunrise: Database security.
Dedrone: Complete drone detection and countering platform.
Defence Intelligence: DNS security solutions.
DefenseStorm: Unifies detection, investigation, reporting, and compliance into one platform.
Digital Shadows: Provides a complete view of an organization’s digital footprint and its attackers.
Distil Networks: Web application bot detection and mitigation.
DomainTools: Turns threat data into threat intelligence, linking indicators to domains.
Drawbridge Networks: Microsegmentation based automatic detection and response to internal attacks.

[ …to be continued. Currently stopped in the D’s, but will continue soon. If you want to help let me know on Twitter. ]

Notes


The vendor list is very much focused on technologies, so there aren’t many solution or service companies listed.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

I have an analogy I like to use for IoT Security: it’s like a giant train that seats billions of people, and it’s currently boarding.

The people getting on read the marketing and they’re super excited—IoT is evidently like Disneyland, but way better. The conductor is the free market, and there is nothing stopping him from leaving the station as fast as possible.

All of us in security are shouting and waving our hands frantically from the station. We saw the conductor build the train as fast as possible using random spare parts, and we’re telling people not to get on so quickly—to think about it, to re-read the brochure. We’re telling the conductor he’s got major issues with the train, and that he shouldn’t leave without having them addressed.

But nobody is listening.

Our punishment, like a horrified time traveler with no ability to interact with the past, is that we’re about to watch this train crash, frame by frame, in slow motion, for the next 30 years.

We saw the train get built, we saw the people get on, and we saw it crash. But there was nothing we could do to stop it. And the pain was magnified exponentially by the fact that we knew what could have been done to prevent the tragedy.

It’s just like the Internet. Imagine you go back in time to 1995 and you start screaming at everyone about the dangers of using unauthenticated UDP for core infrastructure.

Nobody would listen. They would ignore you because functionality is the priority, and true understanding of risk only comes from hardship.

The internet would get built mostly the same as it was because suffering is part of the necessary cycle. And here we are with lots of scratches and bruises, but we’re ok.

It’s going to be the same with IoT Security.

But this time the scale is far greater, as in trillions of connected devices, and so the impact will be greater as well.

Summary

Here’s what we can say for sure:

The train is not safe.
The train is leaving and there’s nothing we can do to stop it.
The train WILL crash, and our punishment will be to watch it crash in slow motion when we knew what could have been done to prevent it.
And finally, it will be ok.

Let’s do our best to view the future with the wise lens of inevitable hindsight.

Notes


The good news here is that there are other train factories and other train stations still being built, and we can do our best to influence things there even though we couldn’t help the main one. And over time, after many crashes and millions of incremental improvements, things will improve.

---

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

The left continues to make noises about how recent violent attacks perpetrated by white people are not being labeled as terrorism because of racism. I think there’s a lot of confusion here, and I’d like to address it.

Racism is obviously real, and obviously a problem. And it’s true that it can lead to groups treating people who look like them better than those who don’t.
The problem is when you naturally assume that when violence committed by whites is always terrorism, and that when it’s not labeled as such it’s definitely because of racism. That’s not a jump that should be made by default.


Definitions and examples

Let’s look at a definition of terrorism (via Google).

Terrorism


/ˈterəˌrizəm/


noun
The unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims.

The “in pursuit of political aims” is key here, and I think it should be expanded to include some measure of scale. If I were to define terrorism I’d add some sort of component of unity in action, i.e., there should be some measure of organization and coordination taking place, either in terms of the message or the attacks.

This is to say that people who are acting alone—as part of their own personal political beliefs—and not part of some movement external to them, should not be in my mind considered terrorism.

That’s just violence.

Here are some examples that show both sides of the issue:

Timmothy McVeigh acted alone but was tapping into a larger militia-based message of anti-government. I’d call that terrorism.
Many years ago two black men went on a sniping rampage around D.C., killing around 20 people. The leader, Muhammed, was part of the nation of Islam, but they were also disturbed and didn’t appear to be tied to any particular group or cause. I would call that violence, not terrorism. Maybe part of his hatred came from his interpretation of Islam. Maybe he was thinking about that while he did the acts. Doesn’t matter. He was not acting as part of any campaign, so he was just a disturbed guy doing bad things.
School shootings are horrific, and they tend to be committed by white people. They produce much the same effects as terrorism, but they’re not terrorism at all in my mind. It’s violence. Again, the causes are school bullying, bad parenting, mental health issues, and general teenage angst. That’s violence, not terrorism.
The white guy who killed a bunch of people in a black church I wouldn’t call a terrorist either because he acted alone and wasn’t attaching his actions to any sort of joint cause. He did tie his actions to a political viewpoint (racism), but it wasn’t linked to anything larger than him and his ideas. That makes it violence and not terrorism in my mind.
The San Bernadino shootings, the numerous attacks in France, and other similar attacks clearly register as terrorism to me. They do so because they’re part of a single narrative of Islam vs. the west, and they represent a joint fabric of ideas that are actively encouraging more of the same. The idea is that there should be a global Caliphate that institutes Sharia and subjugates or murders those who don’t conform. And the leaders of this movement are asking followers to hurt people. So when people do, and give that as a reason, that’s terrorism.

If a devout Muslim guy gets depressed about a divorce and kills some people at work while screaming, “You helped her cheat on me!”, that’s not terrorism.

If we start seeing a Neo-nazi movement that attacks minorities, and has some sort of unified message and campaign, like, “Kill all the immigrants.”, and some white kid—even by himself with no help from others—mentions that campaign while he hurts someone, that’s terrorism. Same if it’s a black or asian person doing the crime.

The difference is the tie to a campaign, and I think it’s an important one.

Summary


Violence and terrorism have similar destructive force.
Terrorism, however, is violence that’s explicitly tied to an active, unified campaign of ideas.
If you hurt people—no matter your race or religion—and your actions were not tied to any such campaign, then you’ve committed violence, not terrorism.

---

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Imagine you have decided to spend your life evangelizing healthy eating.

And then imagine that you happen upon a population that does nothing but scream out constantly for candy, sugar, and cake.

We want cake! We want cake! We love sugar. We want sugar!

Day in and day out, that’s what the people yell. And it’s all they’ll eat. You show up to their rallies with whole breads and vegetables and you are lucky if you’re ignored.

Then one day a leader emerges in the ranks. A man who claims to have the most candy of anyone. And the most cakes.

Everyone deserves sweet foods! They’ll not force their nuts and grains upon us!

He becomes wildly popular, and is elected president.

When the healthy eaters hear about this they’re appalled.

How can this president say these things about sugar being good for you? How can he say that wheat bread is for unsuccessful people? How can he say that vegetables are for gays?

They assemble. They hold rallies. They protest. Everyone is furious with him. He’s evil, they say. He’s breaking everything, they say.

Except he’s not the problem.

He could not exist without millions of people chanting for tooth decay. He could not exist without people casting votes for diabetes and heart disease.

Without the people, he would be a clown selling candy. But with people who like clowns and candy, he’s an absolute celebrity, and indeed the savior of the sweet world.

It’s a silly story, but the concept is maps clearly onto reality.

People are infuriated with what Trump is doing, but they are ignoring the fact that roughly half the country is still supporting him. They like what he’s doing. 5/5—would elect again.

You keep attacking Trump, but he’s not the issue. The issue is around 180 million dumb people who don’t read books, don’t trust evidence, and can be convinced of anything that makes them feel good emotionally.

Fix that and you fix Trump. Don’t fix that and there will be 1,000 Trumps lined up behind him when he’s gone.

In democracies it’s not the leaders’ fault. If you want to affect change, get the people to read some history and science. If you can’t do that then it doesn’t matter what you say about the leader. You’re attacking symptoms rather than diseases.

It’s the people, stupid.

Notes


I am quite aware that there were good reasons to vote for Trump, and that some small percentage of people might have used those reasons when they did so. But they’re the minority. Besides, the issue also applies to impotent, feel-good liberals who don’t affect positive change. It’s the same problem on both sides; the situation with Trump is just particularly acute.

---

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

This week’s topics: Tax phishing, Microsoft SMB vulnerability, Cellebrite tools released, Computer interfaces, Mobile 2.0, new projects, more…

This is Episode No. 64 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.

The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.

The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to here or read below.

Click the image to read the full newsletter.

Thank you for listening, and if you enjoy the show please share it with a friend or on social media.

---

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

I read and think a lot about how humans interact with computers, and what that interaction will look like at various points in the future.

I was going to call this a hierarchy of human to computer interfaces, but quickly realized that it’s not a hierarchy at all. To see what I mean, let’s explore them:

Input interfaces

This is what most think of when they think “interface”, i.e. how you interact with the computer.

Manual Physical Interaction: original key-based keyboards, physical switches, etc.
Manual Touchscreen Interaction: smartphones, tablets, etc.
Natural Speech: Voice: Siri, Google Assistant, Alexa
Natural Speech: Text: messaging, chatbots, etc.
Neural: You think, it happens. No mainstream examples yet exist.


Output interfaces

A key part of that interaction, however, is how the computer returns content or additional prompts to the human, which then leads to additional inputs.

Physical or Projected 2D Display: standard computer monitor, LCD/LED display, projectors, etc.
Physical or Projected 3D Display: augmentation of vision using glasses, or projection effects that emulate three dimensions.
Audible: The computer tells you its output.
Neural Sensory: You “see” or “hear” what’s being returned, but it skips your natural hardware of eyes and ears.
Neural Direct: You receive the understanding of having seen or heard that content, but without having to parse the content itself (NOTE: I’m not sure if this is even possible).


Technology limitations vs. medium limitations

Given our current technology levels, we’re still working with Manual Touchscreen Interaction and Display output for the most part, and we’re just starting to get into Voice input and output.

But like I mentioned above, this isn’t a linear progression. Voice isn’t always better than visual displays for displaying information to humans, or even for humans giving input to the computers.

Benedict Evans has a great example:

@Rotero try choosing a flight on the phone

— Benedict Evans (@BenedictEvans) February 5, 2017

My favorite example is Excel. Imagine working with a massive dataset like so:

Read row one-thousand forty-three, column M…

…and your dataset has 300 thousand rows and 48 columns. Seeing matters in this case, and voice might be able to help in some way, but it won’t replace the visual. It simply can’t because of bandwidth limitations. When you look at a 30″ monitor with massive amounts of data on it you can see trends, anomalies, etc.

And that doesn’t even include the concept of visuals like graphs and images that can convey massive amounts of information very quickly to the human brain. Voice isn’t ever going to compete with that in terms of efficiency, and that’s not a limitation of technology. It’s just how the brain works.

Hybrids mapped to use cases

The obvious answer is that various human tasks are associated with ideal input and output methods.

Voice input is great if you’re driving.
Text input is great if you’re in a library.
Voice output is great if you’re giving your computer basic commands at home.
Visual output is ideal if you need to see lots of data at once, or if the content itself is visual.
Neural interfaces are basically hardware shortcuts to all of these, and it’s too early to even talk about them much.


Voice vs. text

One way I see voice and text that I’ve not heard anywhere else is to imagine them as different forms of the same thing, i.e., natural language. You’re using mostly natural language to convey ideas or desires.

Show me this. I’ll be right there. Tell him to pick me up. I can’t talk now, I’m in a meeting. Order me three of those.

These are all things that you could do vocally or via text. There are of course conventions that are used in text that aren’t used in vocal speech, but they largely overlap. Text, in other words, is a technological way of speaking naturally. You’re not sending computer commands; you’re emulating the same speech we had 100,000 years ago around the campfire.

Common reasons to use text vs. voice include lower social friction, the ability to do it without being as disruptive to others around you, etc. But again, they’re very similar, and in terms of human to computer interface I think we can see them as identical save for implementation details. In both cases the computer has to be good at interpreting natural human speech.

Goals

The key is being able to determine the ideal input and output options for any given human task, and to continue to re-evaluate those options as the technologies for each continue to evolve.

Summary


There are many ways for humans to send input to, and receive output from, computers.
These methods are not hierarchical, meaning voice is not always better than text, and audible is not always better than visual.
Voice and text are different forms of “natural language” that computers need to be able to parse and respond to correctly.
Human tasks will map to one or more ideal input/output methods, and those will evolve along with available technology.

---

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.