Daniel Miessler's Blog, page 38

A lot of people, especially in the security industry, are concerned that NFTs are a scam. And that’s for a good reason in many cases, since many of them are.

In fact, I’d say it’s something like 95%. That’s not a real number, but that’s where I’d put the ratio.

But I’m not trying to convince you that NFTs are scams. Or that they aren’t. What I’m trying to convince you is that 1) both exist, and 2) it’s possible to tell them apart.

What is value?

In order to tell the difference we have to ask ourselves what it means for something to be valuable? Quite simply, things have value if they’re valued. A giant block of platinum is worthless if it has no worth to anyone. And a stick figure drawing on a napkin could be worth life itself to a specific individual.

It’s also possible to create value through marketing. In the 40’s and 50’s, corporate America decided we needed mortgages and diamond rings, so they generated marketing campaigns (like Mad Men) around homeownership and diamonds being a girl’s best friend. The result is that most women still idealize getting a diamond today, and most people still see owning a home as a major milestone.

The value of diamonds was manufactured in a Mad Men-style marketing agency.

These desires were manufactured—on purpose—through marketing—to achieve a specific result, which was to create desire for these objects which corporate America would then sell. They created desire for a thing, and the object of that desire then became valuable.

NFTs can work in the same way, and the same game is being played with them. It’s a combination of making a thing, and then trying to generate hype around it. Just like a mortgage or a diamond ring. The trick is in how much value a thing passively and sustainably has once the hype engine slows down.

For a house in the Bay Area, that value is pretty high. For a diamond, which is part of an artificially-controlled marketplace that requires constant control, the hold is becoming more tenuous.

How NFTs attain value

I’ve already talked elsewhere about how NFTs have a future as digital ownership, and as a basis for social signaling. That’s pretty much a given, but the part that’s guaranteed is “digital ownership”, not the NFT part. NFTs are just an early stab at the concept, and digital ownership validation could be called something completely different later, and probably will.

Art is another asset type where the value is based on hype.

The type of NFTs I’m talking about here, though, are the type we see on OpenSea and other exchanges. And the type that are being used to raise money for crypto-oriented projects. Those are the types with the highest percentages of scams, and the type that are creating skepticism with most people.

A lot of the space revolves around art, which is yet another traditional space where hype is the primary driver of value.

Feces on Canvas could be worth millions if enough rich people are in a room looking at it.

That’s a tentative kind of value because if the hype dies down, so does the value. And it’s the same with NFTs.

The NFT rug-pull

The main scam in the NFT and crypto world right now is called a rug-pull. It’s where a team comes up with an NFT, or a coin, and generates massive interest in it. This draws more and more people, who then buy even more, which reduces supply, and drives the price even higher.

Then, once the price gets high enough, the founders sell everything and walk away. The project crashes and everyone loses their money. Except for the founders. They are instant millionaires.

That’s a rug-pull, but it’s only one way to lose money in the NFT space. The founders could also be duped just like everyone else because they don’t realize the project is worthless either.

Asking the right question

There’s a simple question you should ask if you’re trying to tell whether a crypto or NFT project has a future:

What is the core value of the project, seperate from the NFT?

You can ask this for any project.

For NFT art projects you have a simple art play, which we saw above. The idea—just like with diamonds—is that you’re going to convince enough people that this thing is valuable, such that it will become valuable and hopefully increase in value over time.

Ok, sure. That could happen. But your chances go down a lot if it’s not good art, and if you don’t have a lot of luck on your side. If you happen to be one of the first, or you get a celebrity endorsement or something, you might be set. But for all the also-rans there’s no guarantee that the hype-engine around the entire space will be strong enough to carry your mediocre offering.

It’s a risky bet, and it’s vulnerable to both a fizzle (nothing happens whatsoever), or a rug-pull (where the value goes up for a moment and the first-movers immediately exit).

Join the Unsupervised Learning CommunityI read 20+ hours a week and send the best stuff to ~50,000 people every Monday morning.

If it’s not an art play, the question is even easier. Where is the supposed future value coming from? For any given potential project, fill in the following sentence:

This NFT has value because it will allow someone to do ______________ within the company’s ecosystem, which will be independently valuable because of _________________.

What are those blanks?

What does the NFT allow you to do? Is it just a baseball card? Or an art piece? Meaning the value is in trading it in the future at a (hopefully) higher value?

Or will the NFT be more like a VIP pass that gives you special abilities? Like a free lifetime subscription to something, or the ability to jump ahead in line at locations everywhere, etc.

In short, force them to fill in the value statement.

Examples of good and bad NFTs

Here’s an example of a bad NFT/coin pitch that’s highly likely to be either a fizzle or a rug pull:

What is the core value of the project, seperate from the NFT?

It’s just super exciting. It’s the wizz-bang NFT for the wizz-bang network, which has its own wizz-bang coin.

Ok, cool, but that doesn’t tell me anything. What do I get when I buy an NFT, and what does that NFT let me get within the ecosystem?

So, great question. The NFT provides initial funding for the value creation network we’re building, which is a business that makes things of value for people. It’s a unique approach to creating value.

Ok, so I’m not sure what that means, but it sounds like it’s not built yet. So you’re saying you’re going to build a business later, using this money. Is that right?

Yes, that’s right, we’re looking to build a much better network than others are building, and current NFT holders will be the first ones in.

This is a Hopium play, as far as I can tell. They haven’t built a business. They can’t even fully articulate the idea of the business. Maybe it’s a scam or maybe it’s just bad business. Either way, you should probably stay away.

Note: This is the pitch for like 80% of NFTs and new crypto coins that I hear about. They’re hype on top of hype.

Remember, hype isn’t the problem. Hype can be nice, and even healthy. But only if it’s pointing to a real thing with real potential. The whole exercise here is to dig to see if there’s something real or not.

Also keep in mind that most bad NFTs/coins are people high on Hopium who don’t realize they don’t have a real business. They think the hype IS the business, and they’re delusional rather than malicious. This can lead to both a Rug Pull or a Fizzle, but it’s not the same as a true Rug Pull where the founders knew from the beginning that it was a scam.

A better NFT/coinOk, so what’s the core value of the project, separate from the NFT?

So we’re an investment network for independent artists. We encourage people to patron for small artists that aren’t yet known, and this helps both the artist and the patron.

Ok, so what does the NFT do?

Yeah, so when you buy an NFT you’re buying the rights to one of the artist’s pieces, you’re also getting a 20% discount on all their future pieces, and you’re getting a 0.5% commission on all that artist’s future earnings. Your NFT also gives you 1,000 Arteest Coins, which can be used to send artists money or buy art within the network.

Ok, so the more artists that join the more value the NFTs and the coins have. But won’t this be bad for the artist if too many people buy their NFTs? Won’t they end up not earning that much of what they pull in?

There is a maximum to the percentage of funding that can come out of an artist’s earnings, and the earlier supporters get a bigger piece. But by the time the maximum is hit, the artist will be making a healthy living already, which is the entire point of the project!

This is something I’d buy into. It doesn’t mean it’ll work. It doesn’t mean it’s a guarantee. But at least they can articulate the purpose of the project independent of the NFT/coin.

In other words, if the project doesn’t make sense by itself, it also doesn’t make sense as an NFT or as something-something-crypto.

SummaryThe NFT/Coin space is full of scams and Hopium projects, but there are also some interesting things happening.To determine which is which, ask what the value of the project is—independent of the NFT/Coin.If you can’t get a direct answer, the project is likely either a scam or Hopium, i.e., a scam where the founder is being scammed by themself as well.Hard-avoid any project that can’t articulate its purpose without talking about NFTs or crypto. NFTs and crypto should be seen as new and interesting ways of doing a real business, not a way to make money without providing value.If the project doesn’t make sense by itself, it also doesn’t make sense as an NFT or as something-something-crypto.

[ February 12th, 2014 ]

Here are a few things I do immediately on any new Linux server.

Upload my own .vimrc so that I have jk as ESC, SPACE as my leader, and all my other tweaks.Change my shell to zsh so I have vim functionality on the command line, better autocomplete, etc.chsh -s /bin/zshInstall Prezto so I have massively enhanced zsh functionality, including themes and plugins4 git clone --recursive https://github.com/sorin-ionescu/ \ prezto.git "${ZDOTDIR:-$HOME}/.zprezto"Set a static IP, DNS, hostnameUpdate the systemEnable SSH key authentication, with passwords disabled

I used to slowly do these over the first few hours, as I ran into them, but this is such a maddening experience that I now do this workflow immediately.

I suggest you consider doing the same. It’ll make you more productive faster, and doing the vim and zsh stuff first avoids you messing with stored muscle memory regarding your shell and text editor while you do your initial edits.

People are starting to get the message that text/SMS is a weak form of multi-factor authentication (MFA). Fewer people know that there’s a big gap between the post-SMS MFA options as well.

As I talked about in the original CASSM post, there are levels to this game. In that post we talked about 8 levels of password security, starting from using shared and weak passwords and going all the way up to passwordless.

This post will explain the main difference in the higher levels—specifically, what makes Level 8 so much better than 7 and below?

The answer is simple, actually—phishing.

A growing percentage of malware packages now include prompts for not only a username and password, but also an MFA code. This means traditional MFA is becoming increasingly useless against phishing in the real world.

The problem isn’t how you got an MFA code—the problem is giving you an MFA code in the first place.

And it doesn’t really matter how you got that MFA code. It might have been a text, or it could have been something “strong”, like a mobile authenticator app like Google Authenticator or Authy. However you got it, you now have it, which means you can now type it into a text field owned by a bad guy.

So that raises the question: is there a type of authentication that protects against this? In other words, is there a type of MFA that’s resistant to phishing? The answer is yes.

FIDO stands for Fast Identity Online, and it uses the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) protocols. The systems use public-key cryptography and a physical access token. The private key is stored on the token and kept with you, and the public key is stored with the services you want to authenticate to.

You can’t phish an MFA code that doesn’t exist.

When you authenticate, you prove to the client/token that you are you (fingerprint, PIN, voice, etc.), and the client creates a signed request that’s sent to the service. That request is decrypted and authenticated using the public key, which proves the request was made using the private key, and you are then authenticated.

FIDO2 / WebAuthn is the passwordless version of FIDO, and the passwordless part is critical here. It completely changes how authentication is done.

Join the Unsupervised Learning CommunityI read 20+ hours a week and send the best stuff to ~50,000 people every Monday morning.

Instead of you being presented with a website—which could be malicious—that you then enter credentials into, you instead navigate to the legitimate website like usual, and you get prompted to authenticate.

You then authenticate using your physical token, which you keep with you, by touching it for example. Or using your face or whatever. And when that happens (this is the brilliant bit), your local token creates a request and signs it with your token’s private key…

…and then sends that specifically to the exact, legitimate URL associated with the token!

That’s the magic. When you enrolled the token with, say, Gmail, the token collected the official URL for Gmail, so it can only send authentication requests to that URL!

The best part of this entire flow is that there’s nothing to type. All you did was touch something or look at your device. Everything else happened in the backend automatically.

And since there’s nothing to type there’s also nothing to phish!

This is why passwordless is the highest level of the CASMM Authentication Maturity Model. It disrupts the standard phishing workflow by completely removing the step of manually creating and entering MFA codes.

Summary

TL;DR: The feature that improves MFA the most is the avoidance of manual MFA codes that must be input somewhere by users, because that is the step that is exploited during phishing attacks.

Not all multi-factor authentication is the same in terms of providing protection to consumers.The primary interactive threat to consumers is phishing, and malware is now gaining the ability to phish for SMS and App-based MFA codes.The way to address this is to move to the top level of the CASMM Authentication Security Model, which allows you to authenticate without having to deal with MFA codes, which is the step that phishing attacks are based on.FIDO2 and WebAuthn are implementations of this “passwordless” authentication model that uses PKI in the background to automatically send secure requests to—and only to—a pre-arranged and authorized URL in the background.Because this happens securely in the background, this system completely removes the step of MFA codes given to you by text or authenticator apps, which can then be entered into a malicious website or given over the phone.And since you don’t have MFA codes anymore, those MFA codes cannot be fished anymore.Consider switching to FIDO2 / WebAuthn based security tokens for your most critical accounts such as your email account, banking, taxes, etc.

Get started with FIDO2/WebAuthn >>

NotesPlease remember, and share with your friends and family, that any 2FA is still significantly more secure than password alone. So while you should be moving beyond SMS and legacy MFA codes, if you have the choice of doing nothing and doing SMS-based MFA, you should still do it.There are other app-based MFA methods that also work transparently in the background to authenticate the user, and those are also at Level 8 because they avoid giving the user a code and are therefore “passwordless”. There are attacks against this stronger auth, but they’re easier to avoid and harder to pull off, e.g., 1) getting you to enroll your token to a fraudulent site, or 2) breaking PKI in some way that makes it look like the auth request is being sent to the legitimate URL when it’s actually going to an attacker.

window.location.href = "https://mailchi.mp/danielmiessler/uns...

No related posts.

This standalone episode is a conversation with my friend Andrew Ringlein on the topic of how crypto is best thought of as a set of accelerators for business, with gaming being the initial flagship.

We talk about Andrew’s 5 principles that accelerate gaming companies adopting crypto first, and then look at how those same concepts will soon be adopted by all types of businesses.

We also discuss legitimate doubts around crypto in general, and discuss why we think the concepts are more durable (and inevitable) than the technology.

No related posts.

In this sponsored conversation, I talk with Ev Kontsevoy of Teleport.

In this series I have organic conversations with entrepreneurs as if having lunch with them and hearing about the product for the first time. They give their pitch, and I dig deeper with questions.

Teleport, in my own words, is a way of rethinking how people access and use computing resources. It’s a policy-based system that controls who can do what across your entire infrastructure using a central access plane.

No related posts.

There’s one thing that’s going well in this Ukraine situation, and that’s the general consensus—China notwithstanding—that Putin is an illegitimate aggressor.

This is something we should celebrate and avoid taking as a given.

Putin has been working very hard to sell an alternative narrative, i.e., that he’s some combination of 1) a peacekeeper helping Russian people inside Ukraine, and 2) a victim of NATO aggression acting in self-defense.

The US in particular has done an extraordinary job of countering these claims through rhetoric, timely and unprecedented sharing of intelligence, and coalition-building with leaders from the rest of the world.

I mean…it’s gone extremely well. Amazingly so. The dominant narrative is currently that Putin is a lying bully launching multiple information warfare campaigns and false-flag campaigns—which have been unsuccessful.

In short, Russia has been canceled. And that’s a good thing, although I feel massively for her people.

But we absolutely must acknowledge that this could have gone another way.

If Trump, or DeSantis, or even some other types of Democrat were in office (Obama?), I could have easily seen a silent invasion, more like what happened in Crimea.

In this model, Putin gives the same narrative, pushes it super hard just like he has been, and instead of violently opposing it the US simply goes quiet. It issues some sanctions, makes some public statements, but doesn’t organize an intelligence campaign or a counter-narrative backed by the entire western world.

In this model, we just look the other way. I think Trump would have done this. I think Putin would have convinced him, and therefore the US and the west, that we’d been too aggressive against Russia in the past, and those Russian folks really did need help in Ukraine. And pretty soon Russia would be in charge of the country.

As we’ve seen from other wars in Myanmar, Ethiopia, Syria, and many others, it’s quite possible to have hundreds of thousands—or even millions—be killed or displaced, and have the US government and US media basically run the stories on page 7.

The fact that this didn’t happen this time is tremendous, and we should recognize that.

Most of the talk around crypto is the argument around legitimacy. Is there a there there? Is it hype? Is it a fad? Is it the next internet?

The second big conversation around crypto is about the tech itself. Bitcoin, ETH, and the thousands of others trying to carve a path.

The way I’ve seen crypto until now has been as a set of ideas, which are:

Decentralized compute, with lots of integrity built-in (Blockchain)Digital currency not tied to a government (Cryptocurrency)Digital ownership of novel items (NFTs)Linking digital governance with digital ownership (Web3)

These are powerful ideas that I see as separate from implementation.

Maybe all this “crypto” stuff gets us there on some or all of them, or maybe blockchain and crypto will fall on their faces. I don’t know, and nobody else does either. But I am confident that these ideas are compelling enough to mold our future in some way, at some point.

So that’s the way I have been thinking about it. But in conversations with my friend Andrew Ringlein, I’ve added another layer on this understanding, and that layer might be far more powerful than the ideas themselves.

Incentives rule

I remember when I first learned about real economics. Not “money” economics, which is how I thought about the field in my 20’s, but uppercase Economics. Like, “why people do stuff” economics.

At the center of all of it were incentives, and even today they fascinate me. I have two favorite examples:

A town in India had too many cobras, so the city decided to pay people to bring them in off the street. But instead of fixing the cobra problem, people started cobra farms and they ended up with way more than they started with.You can’t generally predict human behavior, but if you drop a $100 dollar bill on a busy sidewalk you can virtually guarantee it’ll disappear through human action.

In both cases, there’s a stimulus (a cobra policy or dropping $100), and there’s a response (cobra farms or picking up a piece of paper).

Maybe crypto is best understood as a new set of incentives.

The gaming use-case

I was on a walk with Andrew around our local lake when we stumbled into this crypto-incentives idea. It all started with a simple question. I asked him:

How do you see the intersection of crypto and gaming?

This resulted in a 45-minute conversation that I wish I had recorded, but we’re reproducing it soon in a podcast. Anyway, here are his primary points, which I’m now calling the Five Principles of Crypto Gaming.

There’s a lot of overlap here with crypto in general, but this is a gaming-specific list.

Companies can raise money through NFT launches, which massively accelerates how quickly they can access capital.Those NFTs can have special privileges within the company’s ecosystem, which can raise their value over time as well as function as their own marketing and community-building.Companies can take a small cut of transactions using those NFTs, including when they’re bought and sold.User-Generated-Content (UGC) within games can become novel items (NFTs) or real-estate that earns income in various ways (Web3), giving users far more incentive to create within an ecosystem.Distributed ledgers (Blockchain) have enabled or streamlined many of these dynamics.

I will perpetually cringe when using synergy unironically.

In other words, crypto-gaming enables and incentivizes the following activities in a synergistic way:

Raising money quickly (through the NFT)Users interacting more with your ecosystem (the NFT incentivizes this)Users creating awesome content in your ecosystem (UGC powered by Web3)Users talking about your ecosystem (Communities rise around use of the NFTs)Making money over time through NFT transfers (A steady income stream as ecosystem use grows)

So you can bring ideas to market faster, create a community faster, get people using your services faster, have content for the game created faster, have more people want to participate because they’re also making money and enjoying people using their stuff, and finally you get a percentage of the money from key transactions happening in the ecosystem.

In other words, forget the technology. It’s a distraction. What’s exciting about all of this is a set of interconnecting incentives that feed off each other to propel ideas, ecosystems, communities, and user bases. With the result being more companies launching more ideas, creating better games, with better content, created by more and more people, who get more and more of the benefits.

Examples

Here are some real and potential examples of how this is—and will continue to—play out.

Game history and models

First, let’s look at the pre-crypto evolution of games, which Andrew describes as:

Pay to PlayFree to PlayPay to Earn

I like those, but I also like the following breakdown of gaming.

Join the Unsupervised Learning CommunityI read 20+ hours a week and send the best stuff to ~50,000 people every Monday morning. Gaming V1 (Old School)Content Size: SmallContent Created By: Gaming CompanyContent Dynamics: Company doesn’t add contentInteraction: Single-playerMoney: Customer buys game, plays gameGaming V2 (Everquest)Content Size: MediumContent Created By: Gaming CompanyContent Dynamics: Company slowly adds contentMoney: Customer buys game, plays gameGaming V3 (Minecraft)Content Size: Large/InfiniteContent Created By: UsersContent Dynamics: Mostly User-generatedMoney: Customer buys game, plays game

The money axis doesn’t quite fit here because most games are now Free to Play, which is a separate variable than how content is created. Anyway. The point is that we seem to be heading into a future where:

Games are free to play, but you pay for other stuffContent is largely user-generatedUsers get tremendous benefits for being creators

A good example of where this didn’t work in the past was a Minecraft mod that created the Fortnite genre. It was a survival mod that was cool, but the game owner didn’t want any of it, so it was stifled. Crypto-gaming readjusts those incentives so that gaming companies would love to have someone invent a new, wildly-popular mod!

So an example would be a user signing up, creating a cool city or island in a game, standing up a government, creating really cool magic items, etc., and making money when people decide to come there and spend time (because they like how the system works).

The larger vision here is, of course, the ultimate example of the Metaverse, which is Ready Player One.

In that model people will create entire planets, or universes, in which they can define how the rules work. The physics. The magic system. The amount of magic, tech, etc. The combat system. How items are created, who gets rewarded for what. Everything.

This is what The Sandbox does, by the way.

So it’s basically a platform for people to design their own realities, and of course people are competing to create the best ones because 1) it’s fun, and 2) because of crypto/nft/web3 they’ll become rich if people love what they made and decide to play there.

That’s how crypto intersects with gaming, NFTs, Web3, and the Metaverse to become Ready Player One.

Andrew’s Disney example

Andrew is a huge fan of Disney. He’s also a gamer and is working at a startup in the crypto community-building space. So not only did he explain all of the above to me, but he also has examples for more traditional companies like Disney.

The example he gives is imagining that Disney comes out with a Disney Shield NFT—or whatever they’d call it. Let’s say you pay like $4,500 or something for it, which is a lot. Let’s look at all the stuff it could do.

You get to pick an awesome piece of NFT artwork for itIt gets printed on a super-high-quality badge, which includes an NFC componentYou can display the NFT on Twitter, Facebook, etc.You get 25% off family Disney trips for lifeYou get 25% off your Disney+ subscription for lifeYou get special swag related to your specific NFT every year, for freeYou get auto-VIP status at any Disney park or store, allowing you to jump the lineYou get 25% off all Disney swag at Disney parks and storesYou get access to a Disney Shield Discord where you can nerd out with the other die-hardsYOU CAN SELL YOUR SHIELD AT ANY TIMENEW BENEFITS ARE CONSTANTLY BEING ADDED

…and—wait for it—Disney makes a small cut whenever these are transferred between people.

Just like with the crypto stuff above, where you have the various components playing off each other when bringing a new idea to market, the same model works for existing businesses with existing intellectual property. In fact it works better the more you have.

SummaryCrypto is exciting as tech, but the real power is in changing behavior by incentivizing desired activity.Most important in that behavior is a) quickly raising money, b) incentivizing user-generation of quality content, and c) energizing ecosystem use through NFT club-like features.This ultimately gets us to a Ready Player One situation, only where the creators of all those worlds are the users themselves, and where the users actually co-own the worlds they create and benefit from their existence and use.

This is UL Member Content

Subscribe

Already a member? Login

I want to share an idea that’s very disturbing to me:

It’s not the purpose of any business to give people jobs.

In fact, it’s the opposite. Doing more work with fewer people is a primary goal of business. And if one of the main uses of technology is to make businesses more efficient, then one of the outcomes of improving technology will be a reduction in the number of humans required to perform the world’s work.

This is a serious problem.

Not insurmountable. But serious.

We’ll need to completely reframe the concept of “meaningful work” to something that co-exists with machines and AI being more competent than us.

This is also an argument for the necessity of the metaverse. I’m not saying it’s the only solution, or that it’ll even work. But I am saying it’ll likely be one of the primary strategies for addressing the problem.

In short, the metaverse will be one of the ways we try to give Labor Obsolete humans—or what Yuval Harari calls the Useless Class—a way to contribute to society. Or at least to feel as if they’re contributing to society.

I think when we look back and the metaverse 100 years from now, it’ll be primarily seen as a mental health tool for human transition from being useful to being useless in the old world.

I think we can transition. I’m optimistic.

Join the Unsupervised Learning CommunityI read 20+ hours a week and send the best stuff to ~50,000 people every Monday morning.

I’m not optimistic that we can move to doing jobs that our machines and AI can’t do. But I’m optimistic that we can move to doing jobs that we don’t let machines and AI do.

Like if we need to find a new star system to continue in after our sun burns out, or we need to combat a new pathogen that harms us—those jobs we’ll use machines for because we’ll be too vastly inferior in calculation ability.

But there will be some things we leave for ourselves. Caring for each other. Being nice to each other. Research. Experimentation.

If our lives don’t depend on it, I imagine we’ll retool ourselves to be able to do certain tasks that help us feel useful.

But now that I think about it, why not just let us run an analog, old-world civilization that provides the most meaning? Like tilling fields, picking berries, and exploring the planet?

Like a Westworld for normies, where we get injected into the Matrix for the sole purpose of living a normal (see wonderful) life of birth, struggle, and death.

I don’t know what the solution will be. But I worry a lot about the transition.