Daniel Miessler's Blog, page 37

This is UL Member Content

Subscribe

Already a member? Login

No related posts.

This is UL Member Content

Subscribe

Already a member? Login

No related posts.

Steve Wilhite giving the correct pronunciation as his Webby Award acceptance speech

The pronunciation of GIF is one of the oldest and most aggressive internet debates. Some of these will never be settled, but luckily with the GIF debate there’s an actual answer.

The creator of the GIF, Steve Wilhite, not only pronounces it as “jif”, but he says that’s is the only proper way to say it.

The image above is his acceptance speech for a lifetime achievement award at the Webby’s in 2013. His speech was itself a GIF, which you can see in the image above. This, in my opinion, shuts down all counterarguments.

The creator of a thing has the ability to not only name that thing, but to determine a correct pronunciation. Like Linus did with Linux.

I actually prefer the hard-g pronunciation to “jif”. And I get all the arguments for why it should be a hard-g.

Doesn’t matter.

If the creator tells you how to pronounce it—and how not to pronounce it—there’s your answer.

Paul Graham has a great piece on how to disagree with people in the best possible way.

He provides a hierarchy, with 7 being best:

Name-callingAd hominemResponding to toneContradictionCounterargumentRefutationRefuting the central point

The TL;DR here is to evaluate any argument you’re having with someone, and see where each participant is in the hierarchy, and work to get to refuting the central point.

window.location.href = "https://mailchi.mp/danielmiessler/uns...

No related posts.

I’m starting a new series with this 2022 edition where I think about what Information Security could or should look like in the distant future—say in 2050. The ideas will cover multiple aspects of InfoSec, from organizational structure to technology.

I’m doing this for fun—basically to see how dumb I look later—but I also hope it’ll drive interesting discussions on where things should go.

IntroductionOrg StructureTechnologyRegulationInsuranceAutomation / AICareersDistant FutureA Future ExampleSummary

Introduction

At the highest level, I think the big change to InfoSec will be a loss of magic compared to now. In the next 15-30 years we’ll see a move from wizardry to accounting—and a much more Operational Technology approach to the discipline in general.

A big part of this will be simply doing the basics well, in a standardized way. We’re currently in pre-teen years here, which is the source of most of our problems. That means asset management, identity, access control, logging, etc. It means most similar types of products (APIs, hosts, datastores, etc.) looking and behaving similarly, with similar controls and interfaces regardless of vendor or implementation. It means standard APIs for auditing and controlling configuration and access to these systems, in addition to using them, so that you can continuously and programmatically determine an object’s security level.

Let’s look at the aspects that will contribute.

Org Structure

I think security will live within engineering in the future, much like building “secure” bridges isn’t a separate department within civil engineering. There’s not a “bridges don’t fall down” department because bridges aren’t supposed to fall down. We’re just not there yet with (info)security because it’s a brand-new field.

I think this might mean that security becomes a smaller oversight function up with the C-Suite, with strong collaboration with the CFO and the head of legal.

There will be a large Operational team that does nothing but monitor everything to ensure they’re within tolerances. This includes making sure only the right people are looking at the right data, only the right people are logging into the right systems, that services are available with enough 9’s, that they’re responsive, etc. Essentially the business will see what the risk tolerance is for all these items, and that’s what the Ops team will monitor in their dashboards. Again, like a factory.

AWS is one of the few things I could see being around in 20 years.

This smaller security team will be responsible for analyzing data from the various telemetry sources and ensuring that everything is within tolerance. This will include things like cloud configurations for open protocols, open ports, authenticated entities, encryption at rest, encryption in transit, who is accessing what items, etc.

They’ll basically be watching massive dashboards and managing responses to stimuli when things happen that are out of the ordinary, and then coordinating with the various oversight groups (foreshadowing: insurance) who are jointly monitoring and/or asking questions about their security posture.

Technology

I think the main difference we’ll see in security tooling will be the integration with the actual IT applications, much like security engineering will be integrated with regular engineering. So there will be some security tooling still, but it’ll be more oversight-based rather than doing the main part of the work.

Similar to AWS now actually, where you have EC2 and Kubernetes configuration, and you have security configurations within those tools. There are separate security offerings from AWS, but from my view we’re already seeing a lot of that tooling move into the core services themselves. The security tooling becomes more about policy, dashboards, and reporting.

Regulation

Some of this depends on the state of the world, i.e., how powerful centralized governments actually are in 20+ years, but let’s assume it’s much the same as now, just more. If that’s the case, we should expect laws to evolve to shorten the time in which incidents must be reported, and we should expect this for not just government organizations, but for corporate entities as well.

Basically, the argument will be made that everything is connected, and that people depend on these corporate services, therefore they’re national infrastructure to some extent. And thus you must report issues in a very timely manner. As the tech evolves I think they’ll require that 1) certain high-scrutiny organizations will require a giant monitoring brain that the government can tap into when needed or—in some cases—continuously.

HT to Jeremiah Grossman to also being very early to seeing the role of insurance in InfoSec.

Don’t worry, companies will feel more comfortable about this because the insurance companies will already be in that system. It’s good news / bad news.

Regulators will be everywhere. You’ll have to report things very quickly, and there will be severe fines for not doing so. The main difference from today will be that 1) there will be more reporting required, at shorter intervals, and many of those reports will need to basically be real-time through technology—at least for high-criticality gov/private organizations.

Insurance

Like Jeremiah and I have been talking about for years, I think insurance will be a major player in the future of InfoSec. Much of this maturity we’re going to see will come from innovations from organizations that have the most to gain from improvement. When it comes to cars and houses, that push came significantly from insurance companies.

You need these inspections or else you can’t get insured. You need smoke alarms. You need this. You need that.

We don’t yet know what those things are for security, but I can tell you who really cares what they are. Insurance companies. And they’re already instituting all sorts of visibility practices, like requiring that you install a black box on the network to get a sense of your environment. Exactly like Progressive asking you to install a box in your car that can monitor how you drive. Or health insurance companies asking for access to your mobile phone’s Health app.

The result of this is easily predictable: as insurance companies determine what works and what doesn’t, they’ll start requiring certain solutions and rating solutions in general.

Did you know Michellin Star Restaurants are associated with Michellin tires? It’s weird how history plays out like that. They did a campaign about restaurants you could encounter while driving (on Michellin tires, obviously), and that turned into a cornerstone of the restaurant industry.

Well, expect to see Allstate Ratings for Zero Trust solutions too. It’s a lot more inevitable than the Michellin thing, actually, because insurance companies are the ones who are incentivized to find out what actually works. Because then the insurance companies can steer their customers to use those solutions to reduce their own payouts.

Automation and AI

I was going to put this in the Technology section, but it’s worth its own treatment. Machine Learning will continue to soak into all of the world’s technology, and that includes security technology. It’s hard to say, but I do anticipate being able to replicate Level 2 or even Level 3 security analysts in some small domains when the technology is highly advanced and when attack types are relatively static, but most of the benefit of ML will come not from adding 20 L3 analysts, but instead from adding 100,000 mid-level interns.

The more standardization we have in our tech, and the more logging is required, the more data there will be to look at. This problem is not solved by getting more people into the security field. There’s too much data for humans on the planet to analyze, period. This is already true, and it’ll be many times more true in 2050. Automation is needed to filter and curate the data that humans see, and as time progresses the distinction between automation and AI/ML—at least in information technology—will continue to blur.

ML will have the biggest impact in answering questions like the following, at scale:

Was this action fraudulent?Is this a legitimate transaction?Was this action performed by the user it was associated with?What is the weakest point of entry into this company or country?Where should we attack?Where should we anticipate attack?Among these billions of vulnerabilities, what should we fix first?What change should we make to improve outcome X the most?

A good definition of AI is what computers can’t yet do, which is always moving.

In short, ML will continue to become more like statistics, charts, databases, and computers—i.e., a standard way of solving problems in any organization. It’ll just blend into businesses in the same way that your business isn’t considered special for having a Postgres database. One big AI-based innovation step will be general AI, which may or may not happen in the timeframe we’re discussing.

The next aspect of this, which could have been put in the Technology section as well, is CCE, which stands for Continuous Chaos Engineering. The field is also known as AD for Anti-fragile Design, but “AD” was too overloaded as an acronym that people have been using CCE. The point of these processes is to not only continuously monitor to make things are in an ideal state, but to constantly add stress to the system—of different types—to ensure that the system can handle it.

SCs (Stress Campaigns) are constantly run an arm of engineering to ensure that not only could we survive these if they happened, but in order to actually improve from what we learn. So if we send a massive amount of traffic to a key API endpoint as part of a new SC, and we see X amount of deterioration of the service, we might send an immediate request to boost that service’s on-hand service nodes.

The operational teams monitoring the state of the IT infrastructure will have the challenge of not always knowing (but perhaps sometimes) when an issue that takes a parameter out of compliance comes from an actual natural problem, a member of the offensive team trying to do something malicious, or a real attacker attempting an attack. Some teams will tag activity with various labels (OFFSEC, CHAOSOPS, UNKNOWN, ATTACKER22301 etc.) to help with that attribution, but part of operations will sometimes be having regular operators not know the difference.

Careers

Ok, cool. So what about people? What will it mean to be in security in like 2050? I think the answer is:

More Electrician-types (tradespeople connecting things according to documented specs)More Data Analysts (statistics and ML background, combined with data visualization)Security Executives become factory fore-people, i.e., overseeing an operational function, combined with broadcasters of narrative

There are still variation in electrician implementations, too.

So we’ll have millions of people employed to install and configure the various types of tools needed in a business. I think these tools might blur between the tools themselves vs. the security tooling. For example, if people come to install Salesforce they’ll be installing it and configuring it to plug into your internal data lake and brain. So, just like electricians, there will be well-known inputs, and well-known outputs, and it’ll just be a matter of figuring out where to put what.

In other words, when Allstate and the State of Massachusets come to connect to your company’s IT Brain, called Conito, provided by Databricks (now owned by Amazon like everything else), everyone will be using the same nozzles and connectors.

Join the Unsupervised Learning CommunityI read 20+ hours a week and send the best stuff to ~50,000 people every Monday morning.

Careers will be more cleanly broken into functions like:

Installing things according to regulation and standardKnowing the current configuration of a given system at all timesAnalyzing the data from all systems to get that into dashboardsEvaluating dashboards to determine which changes to configuration should be madeMaking configuration changes and evaluating their impactContinuous monitoring of those dashboards to flag anomaliesUsing AI/ML to make smarter and smarter recommendations based on the data availableTaking the output of data analysis and dashboards and turning that into narratives for partners, management, investors, insurers, regulators, etc.

If this sounds boring, yes, it will be. That’s the point. That’s what happens when you move from wizards to book-keepers. Wizards deal with the unknown. The arcane. It’s where few people know what’s happening, and everyone looks up to them. This is bad for business because it’s not repeatable.

Accounting is repeatable. Arithmetic is repeatable. And so will be identity, access control, logging—once we hit our late 20’s and early 30’s as an industry.

What does this mean for “jobs in security?”

It means you’re installing products for an internal company. You’re installing products for Allstate, which means for Allstate’s customers. Or you’re using data analytics and data science to look for patterns in the data in FooCorp’s Cognito install. Or you’re a configuration validator who makes sure every product is installed to standard, with all inputs and outputs working correctly.Or you’re an engineer working on improving the products themselves.Or you’re an executive telling the data security story to your stakeholders.

Will there be OFFSEC people? Red team? Blue team? Absolutely. All of this still has cruft in it. Even though it’ll be 95% better than today, that 5% will still be able to cause havoc and the loss of a lot of money.

So there will still be some arcane magic users, but they will become fewer and fewer as time goes on. And they’ll increasingly need to be strong developers skilled with analysis and manipulation.

Distant Future

This gets fuzzier as we move forward, obviously. But let’s try to add some decades and see what changes the most.

I think the simplest answer is “fewer people”. As the tech keeps improving, it also gets better at installing itself, continuously checking its own configuration, raising alarms when it’s not working, etc. That means fewer people required to do those pieces.

So it’s fewer and higher-skilled people doing data analysis on what the dashboards are telling us, and creating better dashboards, rather than doing the installs themselves. And then it’s fewer but higher-skilled executives taking that data into conversations with stakeholders.

And then of course there are the people working on the actual products. This will increasingly be elite work for the best programmers in the world since an increasing proportion of “basic development” will be within the capabilities of AI/ML by then. But again, remember that these people will largely be working for the technology companies, not for security companies. They’ll just be working on security features for Cognito, Salesforce, or for AWS’s equivalent at the time.

I anticipate there will still be security companies, but that they’ll largely be incubators for candidate security features for inclusion in the bigger IT products. So the company takes a copy of Cognito and their competitor, spends a few months working on a cool set of new security features, and then they take that to the market. And if the feature is strong those companies will buy the code and/or the team.

In other words, I think much of the current security market is based on how poorly the industry does the basics. AWS exists because local IT within companies was a dumpster full of burning tires. Asset management companies exist because nobody knows what they have, and therefore what to defend. Endpoint companies exist because OS’s haven’t been great at identity, access control, and allow-listing applications and content. As those basics improve, that functionality moves back into the core products.

AWS will have asset management and continuous monitoring. Microsoft will have endpoint protection. Databricks will have data security built-in. This does raise the question of monopoly, and how companies will be inspired to innovate if they’re the consolidated big companies at the table, and I think the answer will have to be some combination of this feature development model for startups along with regulation that pushes higher and higher standards for organization protection.

I can easily see AWS being broken out relatively soon.

That’s a weird thing to type, actually, and it’s why I’m doing this exercise. As companies like Salesforce and AWS get bigger through success and acquisitions the incentive to innovate will eventually slow down. And furthermore, if you’re on AWS and they provide like everything for your company, it’s going to be pretty hard to migrate over to some new upstart’s offering if it’s in conflict with AWS in some way. The momentum to stay with AWS will continue to build because new companies won’t have the resources to offer similar stability or support.

A Future Example

Amaya works for Progressive, which is the main player in auto and Cyber Insurance.

She is an expert with Cognito, a formerly Databricks and now AWS tool for unifying all IT feeds (which include security) into a single place. It’s basically the brain of most enterprise IT infrastructures. She is going into a medium-sized business that’s having issues with their telemetry meeting insurance and government standards. In other words, not everything is configured correctly, logging, to the right places, at the right verbosity levels, and at the right cadence. And it’s not all being sent to a single place.

She starts with the AWS infrastructure and applies a Cognito template that does a bunch of analysis (AI/ML stuff) to look at everything that exists, all of its existing settings, etc. She then selects a policy template that accounts for what Progressive is asking for, as well as the State of Michigan where the company resides, plus some additional asks from other stakeholders. That takes a few minutes to finish because it has to look at every setting in all of AWS and determine current state and end state.

She then launches CogniBot, which is a set of hundreds of thousands of ai-automated applications that spider and crawl and log into things dynamically given the credentials and authority she’s been given to do this project. This allows the bots to learn the delta between what they see in the configurations vs. what actually exists in the infrastructure. CogniBot systems coordinate to look at the external perimeter, internal access controls, listening services, all software versions, etc. Essentially the same thing the configuration tool looked at, but it’s doing it dynamically via active and passive probing.

These are left to run for between 3 days to a month, to listen on the network, to watch traffic patterns and other aspects of the business that aren’t as clear from static analysis, and to generally provide peace of mind that the migration to the new Cognito Template will not cause disruption to business.

Upon her return, Amaya will review all the data with her team, meet with the customer, coordinate a time for the changes, and then begin migrating all AWS settings to the new policy. This will happen in a phased approach that Cognito’s intelligence came up with—including automated rollback if problems are detected during the process. Cognito will continuously monitor the state of business during the migration and ensure that all business operations continue to function throughout. They start with datastores, then move to network access, then to endpoint lockdown, etc.—all the way through the systems controlled by AWS.

This will change access controls, enabled protocols, storage settings, and pretty much every configuration option that has a bearing on Progressive’s and the State of Michigan’s controls, as defined in their templates.

At the end of the migration, Amaya and her team look at the new Cognito dashboards, which show all the data and new telemetry flowing into the Amazon Databricks backend. They see that every cloud server, every application access, every authentication challenge, every endpoint action, etc.—are all being logged into Cognito, and we are currently sitting at 94% compliance. It appears that the policy rollout could not hit some percentage of endpoints because they were hard-powered-down, and we’re waiting for them to re-associate.

Her team will continue to monitor this, and now they start thinking about the next project. Salesforce. Terabytes of data is being created for this company per week within the system, but the storage configuration and logging are not compliant with 7 different states, Ireland, Iceland, or Papua New Guinea. Or with Progressive, which is why she’s been assigned to the project.

So now she’s going to take the Cognito templates for all those jurisdictions and run them against the petabytes of data for this customer, as well as every setting that pertains to protecting that data, and will produce the configuration changes to get it compliant. Most importantly, it will not only lock down all those settings but will enable verbose logging for all events and send it all to the Cognito instance within the company.

Months later, Tariq is enjoying his new position as head of security for the company, and he’s having his coffee while looking at the Cognito dashboards. Everything is running within appropriate tolerances, and has been for several weeks. There are occasional Orange or Red events where configurations go out of compliance, or where an object fails to report in with telemetry, but those are quickly accounted for by the massive operational team they run.

This team essentially watches the Cognito dashboards and takes corrective action whenever anything goes out of compliance, followed up by the RCA team taking an action item to ensure that never happens again.

Summary

As our industry moves from our pre-teens to our 20’s and 30’s (2030-2050?), we’ll transition from Wizards to Accountants.Much of this will center around doing the basics of asset management, identity, access control, and logging well.AI and Automation will remove the need for a lot of the manual work of installing and monitoring products.We will soon see large, monolithic, ML-powered products that take in all telemetry from everything, and produce unified dashboards.Insurance and Regulation will push towards this, driving the standardization and operationalization of InfoSec.Security will increasingly blend into engineering, both at the technical level and within organizational charts.As part of operationalization, the concepts of resilience and antifragility will become major considerations.The mid-game (who knows what endgame is) involves a massive operations team monitoring centralized dashboards and responding when things go out of tolerance. Not security dashboards. Company dashboards. Which include security and lots of other types of metrics and risk-levels that need to be kept within tolerances.NotesOne thing that detracts from the factory metaphor is that factories generally account for first-order chaos, or static threats like equipment failure. Cyber is different because the attacker knows the current state of their abilities as well as defenses, and can modify their behavior accordingly. I think this will slow, but not stop, the inevitable march towards boring dashboard InfoSec.Credit to Caleb Sima for some enlightening seed thoughts on the integration of security and engineering.Ironically, heavy automation seems to open the door even more for OFFSEC and Blue Team, because the more we blindly depend on autonomous technology the more vulnerable we could become to everything suddenly breaking—either on accident or on purpose.Image from Langara. More

I’ve been complaining for years about Google’s various UI/UX problems.

As the most recent example, I got a notification that I had over 10,000 views on the site yesterday. Cool. Well, except I had those views on Wednesday, and got the alert yesterday.

Yes, they have a service called traffic “alerts” that doesn’t send an actual alert until 24 hours later. That’s not an alert. That’s a report—barely.

But no big deal. Probably an easy fix, right? Let’s just let them work on it? Nope. I and others have been complaining about this same exact problem for over 6 years, including sending support emails into the least monitored inbox in the Sol planetary system.

They don’t care, and even worse, they don’t seem to realize that they should. A recent Hacker News post asks an important question: If Google Sucks So Bad, Why Are People Still Using It?

Good question, and I think the answer is quite simple—Google’s features and stability have thus far been more compelling than its faults because there hasn’t been a strong enough competitor.

I think Cloudflare is changing that.

Clouflare is Borging-up tons of internet spaces that used to belong to other companies. And they’re doing it while providing stable services and a modern UI.

Join the Unsupervised Learning CommunityI read 20+ hours a week and send the best stuff to ~50,000 people every Monday morning.

They’re cutting into the WAF space, third-party web integrations, zero trust, internal VPNs, content distribution, DNS hosting, and countless others.

Importantly, they are constantly innovating and—check this out—they answer support requests. They’re responsive. They’re listening and they’re adjusting to what they think customers need.

This is the Star Trek opposite of Google doing all these same services. For them, they build a cryptic UI, that people struggle to use, and they proceed to not change that UI for years and years. Best part of it? There’s no one to email. No one to call. It’s basically saying:

Hey we made a thing without any care for how easy it is to use, but it’s kind of the most stable thing out there because we’re Google. Maybe you’ve heard of us. Oh, and don’t complain because nobody’s listening. You’re welcome.

How I Imagine Them Talking In My Head

We accepted that. I accepted that. Despite saying for nearly a decade that I was done with Google. I never left because I never could.

And I can’t shake the feeling that Cloudflare knows this, and that they’re working to pull all these core-internet-infrastructure services from them.

I hope they do.

Well, our congressional heroes finally addressed our failing bridges and the lack of teachers.

Turns out it’s actually Daylight Saving Time.

Just kidding. They got rid of daylight savings (sic) time.

I can’t shake the feeling that there might have been a good reason we implemented it in the first place. I remember researching for like 9 seconds many years ago (because I was annoyed at it too), and it turns out they had reasons. Maybe those reasons were bad, or maybe they’re now obsolete.

Fair enough. Not really the point. What I worry about are Idiocracy-based policy changes, i.e., where masses of loud people on social media convince an impotent Congress to do stuff because “DST is annoying, no-cap.” And they do it because they want a cheer from the stands.

Maybe we got it right on this one. Cool. I prefer the consistent model as well.

But I really hope we don’t start changing highly researched policy due to TikTok-ish outcry. That’s how you lose things like truancy laws and other public goods because they’re too collectivist vs. individualist.

Like, really? The government makes us go to school under penalty of jail time for parents? I expect to see #eviltruancy trending on TikTok soon, resulting in Marco Rubio championing #parentchoice on the floor of the Senate.

Unraveling collectivist protections for TikTok likes is not a model for sustained existence as a country.

This is UL Member Content

Subscribe

Already a member? Login

No related posts.

A lot of people, especially in the security industry, are concerned that NFTs are a scam. And that’s for a good reason in many cases, since many of them are.

In fact, I’d say it’s something like 95%. That’s not a real number, but that’s where I’d put the ratio.

But I’m not trying to convince you that NFTs are scams. Or that they aren’t. What I’m trying to convince you is that 1) both exist, and 2) it’s possible to tell them apart.

What is value?

In order to tell the difference we have to ask ourselves what it means for something to be valuable? Quite simply, things have value if they’re valued. A giant block of platinum is worthless if it has no worth to anyone. And a stick figure drawing on a napkin could be worth life itself to a specific individual.

It’s also possible to create value through marketing. In the 40’s and 50’s, corporate America decided we needed mortgages and diamond rings, so they generated marketing campaigns (like Mad Men) around homeownership and diamonds being a girl’s best friend. The result is that most women still idealize getting a diamond today, and most people still see owning a home as a major milestone.

The value of diamonds was manufactured in a Mad Men-style marketing agency.

These desires were manufactured—on purpose—through marketing—to achieve a specific result, which was to create desire for these objects which corporate America would then sell. They created desire for a thing, and the object of that desire then became valuable.

NFTs can work in the same way, and the same game is being played with them. It’s a combination of making a thing, and then trying to generate hype around it. Just like a mortgage or a diamond ring. The trick is in how much value a thing passively and sustainably has once the hype engine slows down.

For a house in the Bay Area, that value is pretty high. For a diamond, which is part of an artificially-controlled marketplace that requires constant control, the hold is becoming more tenuous.

How NFTs attain value

I’ve already talked elsewhere about how NFTs have a future as digital ownership, and as a basis for social signaling. That’s pretty much a given, but the part that’s guaranteed is “digital ownership”, not the NFT part. NFTs are just an early stab at the concept, and digital ownership validation could be called something completely different later, and probably will.

Art is another asset type where the value is based on hype.

The type of NFTs I’m talking about here, though, are the type we see on OpenSea and other exchanges. And the type that are being used to raise money for crypto-oriented projects. Those are the types with the highest percentages of scams, and the type that are creating skepticism with most people.

A lot of the space revolves around art, which is yet another traditional space where hype is the primary driver of value.

Feces on Canvas could be worth millions if enough rich people are in a room looking at it.

That’s a tentative kind of value because if the hype dies down, so does the value. And it’s the same with NFTs.

The NFT rug-pull

The main scam in the NFT and crypto world right now is called a rug-pull. It’s where a team comes up with an NFT, or a coin, and generates massive interest in it. This draws more and more people, who then buy even more, which reduces supply, and drives the price even higher.

Then, once the price gets high enough, the founders sell everything and walk away. The project crashes and everyone loses their money. Except for the founders. They are instant millionaires.

That’s a rug-pull, but it’s only one way to lose money in the NFT space. The founders could also be duped just like everyone else because they don’t realize the project is worthless either.

Asking the right question

There’s a simple question you should ask if you’re trying to tell whether a crypto or NFT project has a future:

What is the core value of the project, seperate from the NFT?

You can ask this for any project.

For NFT art projects you have a simple art play, which we saw above. The idea—just like with diamonds—is that you’re going to convince enough people that this thing is valuable, such that it will become valuable and hopefully increase in value over time.

Ok, sure. That could happen. But your chances go down a lot if it’s not good art, and if you don’t have a lot of luck on your side. If you happen to be one of the first, or you get a celebrity endorsement or something, you might be set. But for all the also-rans there’s no guarantee that the hype-engine around the entire space will be strong enough to carry your mediocre offering.

It’s a risky bet, and it’s vulnerable to both a fizzle (nothing happens whatsoever), or a rug-pull (where the value goes up for a moment and the first-movers immediately exit).

Join the Unsupervised Learning CommunityI read 20+ hours a week and send the best stuff to ~50,000 people every Monday morning.

If it’s not an art play, the question is even easier. Where is the supposed future value coming from? For any given potential project, fill in the following sentence:

This NFT has value because it will allow someone to do ______________ within the company’s ecosystem, which will be independently valuable because of _________________.

What are those blanks?

What does the NFT allow you to do? Is it just a baseball card? Or an art piece? Meaning the value is in trading it in the future at a (hopefully) higher value?

Or will the NFT be more like a VIP pass that gives you special abilities? Like a free lifetime subscription to something, or the ability to jump ahead in line at locations everywhere, etc.

In short, force them to fill in the value statement.

Examples of good and bad NFTs

Here’s an example of a bad NFT/coin pitch that’s highly likely to be either a fizzle or a rug pull:

What is the core value of the project, seperate from the NFT?

It’s just super exciting. It’s the wizz-bang NFT for the wizz-bang network, which has its own wizz-bang coin.

Ok, cool, but that doesn’t tell me anything. What do I get when I buy an NFT, and what does that NFT let me get within the ecosystem?

So, great question. The NFT provides initial funding for the value creation network we’re building, which is a business that makes things of value for people. It’s a unique approach to creating value.

Ok, so I’m not sure what that means, but it sounds like it’s not built yet. So you’re saying you’re going to build a business later, using this money. Is that right?

Yes, that’s right, we’re looking to build a much better network than others are building, and current NFT holders will be the first ones in.

This is a Hopium play, as far as I can tell. They haven’t built a business. They can’t even fully articulate the idea of the business. Maybe it’s a scam or maybe it’s just bad business. Either way, you should probably stay away.

Note: This is the pitch for like 80% of NFTs and new crypto coins that I hear about. They’re hype on top of hype.

Remember, hype isn’t the problem. Hype can be nice, and even healthy. But only if it’s pointing to a real thing with real potential. The whole exercise here is to dig to see if there’s something real or not.

Also keep in mind that most bad NFTs/coins are people high on Hopium who don’t realize they don’t have a real business. They think the hype IS the business, and they’re delusional rather than malicious. This can lead to both a Rug Pull or a Fizzle, but it’s not the same as a true Rug Pull where the founders knew from the beginning that it was a scam.

A better NFT/coinOk, so what’s the core value of the project, separate from the NFT?

So we’re an investment network for independent artists. We encourage people to patron for small artists that aren’t yet known, and this helps both the artist and the patron.

Ok, so what does the NFT do?

Yeah, so when you buy an NFT you’re buying the rights to one of the artist’s pieces, you’re also getting a 20% discount on all their future pieces, and you’re getting a 0.5% commission on all that artist’s future earnings. Your NFT also gives you 1,000 Arteest Coins, which can be used to send artists money or buy art within the network.

Ok, so the more artists that join the more value the NFTs and the coins have. But won’t this be bad for the artist if too many people buy their NFTs? Won’t they end up not earning that much of what they pull in?

There is a maximum to the percentage of funding that can come out of an artist’s earnings, and the earlier supporters get a bigger piece. But by the time the maximum is hit, the artist will be making a healthy living already, which is the entire point of the project!

This is something I’d buy into. It doesn’t mean it’ll work. It doesn’t mean it’s a guarantee. But at least they can articulate the purpose of the project independent of the NFT/coin.

In other words, if the project doesn’t make sense by itself, it also doesn’t make sense as an NFT or as something-something-crypto.

SummaryThe NFT/Coin space is full of scams and Hopium projects, but there are also some interesting things happening.To determine which is which, ask what the value of the project is—independent of the NFT/Coin.If you can’t get a direct answer, the project is likely either a scam or Hopium, i.e., a scam where the founder is being scammed by themself as well.Hard-avoid any project that can’t articulate its purpose without talking about NFTs or crypto. NFTs and crypto should be seen as new and interesting ways of doing a real business, not a way to make money without providing value.If the project doesn’t make sense by itself, it also doesn’t make sense as an NFT or as something-something-crypto.