Daniel Miessler's Blog, page 39

I have a new analogy I’m using to describe Crypto, NFTs, and Web3.

Imagine the whole world runs on candles and gas lamps, and one day we hear that electricity is some big new thing and there are people coming to your town to “electrify” the neighborhood.

Lots of different contractors show up to your town to do the work. Some are excited but careful, and others just want to charge as much as possible, as quickly as possible, and they tend to do bad work.

The result is lots of people get scammed, and a lot of people lose their houses and even their lives due to fraud and foolishness.

What’s even worse, some of people who used the best installers still lost their homes to fires, just because electrification was so new.

What are the lessons here?

I think there are several, and I think they apply to Crypto/NFT/Web3.

Any time you have something dramatically new and different you have extreme risk if you get in early.This usually brings a massive amount of hype along with it.With that promise and hype you usually have two different types of people trying to take advantage of that: honest entrepreneurs, and fraudsters (and a whole range between them).The trick to navigating this new thing, if you want to partake, is recognizing how much risk you’re willing to take on to get the potential benefit of this new thing, and doing your best to detect the difference between entrepreneur optimism vs. the scammers.Finally, even if the thing is real and worth the hype, you can still get hurt by taking a good-faith risk with an honest entrepreneur.

This is Crypto/NFT/Web3 to me, although we don’t actually know yet if it’s electricity or not.

Putting that aside, the point is that the presence of scammers doesn’t mean a new thing is rotten. Scammers come to electricity the same way they come for snake oil. They’re drawn to hype regardless of merit.

And even assuming all this is the next version of the internet, it doesn’t mean it’s safe to invest in it. Investments aren’t usually in the thing itself, but rather one specific articulation of that thing, which is a guess upon a guess.

TL;DR: Don’t over-rotate on any of this, and don’t ignore it. My advice is to watch optimistically and cautiously. It might be nothing and it might be the internet in 1995.

Much of the country is done with Covid. At least for this Omicron phase of it.

New York and California are removing mask mandates, and the south and many other regions got to this point many weeks ago.

I think three things have happened simultaneously:

The vaccines have made getting it much less scary.We’ve become accustomed to the risk so it’s not as scary anymore.We’re just tired of behaving like we’re scared.

The result is that we’re starting to act like things are normal, which is so interesting to me given the fact that 2,300 people died yesterday. We’ve been at like a 9/11 per day for weeks now, but people are out at bars and restaurants like nothing is happening.

This is not a post where I talk about what people should be doing. People will decide that for themselves. What I find fascinating is how our relationship with risk changes so drastically based on our exposure to it over time.

When this started, a few people dying was headline news and caused panic throughout the country. Today we have 2,300 people die a day and we’re like, “Let’s get drinks.”

This reminds me a lot of stoicism, where the primary tenet is that there is—or should be—a major separation between what happens to you vs. how you react to it. And that’s the muscle we’ve unconsciously grown over time with this thing.

The virus has become less deadly for most people, and people have grown accustomed to the risk. There’s a 1 in 107 chance that you’ll die in a car accident, evidently. That’s really damn high.

How many people are afraid of driving? Not many.

Covid is still killing over 2,000 people a day, and we’re packing into bars and restaurants like it’s 2019.

The point here is that the perception of risk is a very dynamic thing, with lots of factors in play. And one of the most important factors is familiarity. If you live in Beirut, you get used to it. If you live in a society where people die of Covid, you get used to it.

Humans are peculiar.

[image error]

SECURITY NEWSChina is suspected of hacking into News Corp via a BEC attack, with the goal of targeting journalists for their access to information and sources. The attack was evidently successful against several targets, and Mandiant has been brought on to help with the investigation. More 

Google says they see 50% fewer compromises on accounts they enroll to use 2FA. That’s fantastic, but honestly I’m surprised the number isn’t much higher. More

Apple released iOS 15.3.1 to address an actively exploited flaw in Safari that can lead to code execution. More SPONSORED BY JUPITER ONE

The Best Lessons Come From Experience. 7 Cybersecurity Leaders Share Their Tales
 In this exclusive eBook from JupiterOne , seven cybersecurity leaders share their stories of failure and success, roadmaps you can use to improve your cybersecurity programs, and their visions for the future of cybersecurity. Download Your Copy of the Modern Cybersecurity eBook Two US senators have gone public with evidence that the CIA had a massive bulk data collection program called Deep Dive that was run without oversight. The senators, the EFF, and others are requesting the declassification of the program so Americans can see what was collected. More

Zoom users running on Mac have been reporting that the microphone light has been staying on, even when they weren’t actively using the application. Zoom issued an update to address it, but one fix is to make sure you fully quit Zoom when you’re not using it. More

Cloudflare Tunnel lets you SSH to machines that aren’t listening on the internet. They catch the requests, authenticate you, and send you back to the protected machine. More

Cloudflare has acquired Vectrix to play in the CASB space as part of its SASE (Secure Access Service Edge) offering. The startup focuses on visibility and control of data at rest in SaaS applications. More

CVS says they’ve seen a 300% increase in retail theft from stores since the pandemic began. Rite Aid and other stores are closing locations hit hardest, and one employee said, “They come in every day, sometimes twice a day, with laundry bags and just load up on stuff.” More

Vulnerabilities: Magento | 9.8 | Code Execution More Siemens PLCs | 27 Vulnerabilities | High | Denial of Service More Adobe | Multiple Products | System Takeover MoreIncidents The San Francisco 49ers have been hit by a Blackbyte ransomware attack. The attack has evidently caused disruptions on part of their IT network. MoreCompanies: Vicarius | Cloud-first Vulnerability Management | $24 million More
TECHNOLOGY NEWSAmazon has increased its base pay by more than double—going from a max of $160,000/year to $350,000/year. This was a reason a lot of people never looked at Amazon, so if you’re a hiring manager expect to lose more candidates to them for a while. More

Intel is looking to roll out energy-efficient crypto-mining chips. This is cool, but it feels like all this blockchain focus is a desperatete response to being crushed ARM. More

Coinbase QR code Super Bowl ad was so successful it crashed the Coinbase app. As a security guy I’m horrified that we just trained millions of people to scan arbitrary QR codes. More

Someone created a Twitter tracker (@ElonJet) that follows Elon Musk’s private jet. They tried to pay him $5K to stop, but $5K wasn’t enough. More


HUMAN NEWSA new study has shown that Selenium may be key to new neuron formation, and could be used to help keep people sharp as they age. More

Much of the US is removing mask mandates for indoor events, including indoor restaurant eating. This is for places that haven’t already. Notably, California, New York, and New Jersey are making the change soon. This comes as deaths per day are still quite high, at over 2,400 a day last Friday according to the New York Times. This shows how much risk tolerance comes down to familiarity and the desire to do the risky activity. People are tired of lockdowns, so the sentiment has shifted from panic at a few people dying to being ok with almost a 9/11 per day. More

The inability to exercise is emerging as one of the most common symptoms of Long Covid. More

A new study has shown that the chance of heart disease increases significantly for up to a year after infection with Covid, including with mild cases and for people under 65 without significant risk factors. They showed a 52% increased chance of stroke and 72% increased chance of heart failure. More
 

CONTENT, IDEAS & ANALYSIS

My Favorite Vim Commands in Chrome — A quick piece on my favorite keyboard shortcuts within the Vimium extension for Chrome. Essentially, navigate within Chrome using familiar Vim commands. More

Bradbury’s Dystopia — We’ve all heard about the comparison of Orwell’s or Huxley’s dystopias, where in one case we’re worried about authoritarianism, and in the other we’re worried about a lack of ambition. Bradbury offers another model, which is based on the elimination of complex thought because it’s difficult. This is what Fox News and CNN do, in my opinion. They provide clear good guys and bad guys, removing the nuance and layered nature of reality. Burning books that inspire too much thinking is one way to get there. More

Behavior Shaping — Here’s a crazy idea. Since TikTok is a content surfacing and rewarding platform, and it’s Chinese-controlled, wouldn’t it be interesting if they rewarded different behavior for different populations? What if they rewarded science and engineering and creativity in China, but in Europe and the US they rewarded promiscuity, anti-government, or hate-oriented content? Wouldn’t that be an ingenious way to incentivize the raising of your own society while contributing to the downfall of an enemy? I wonder if anyone’s done any analysis of what gets surfaced or rewarded in different geographies.

NOTESI went on the Barely Conscious podcast with Justin Adams last week and had a blast. We talked about the future of sentient AI, AI suicide, and how to approach meaning in a world without supernatural belief or free will. More

Enjoying this week’s UL book of the month, The Sovereign Individual.

I’m in the second book of The Stormlight Archives and I feel committed at this point. So. Many. Books. Though.
 
DISCOVERYMaybe we’re not in an Orwell or Huxley dystopia, but one based on Bradbury. More

Google’s search engine is jumping the shark. More

A lot of security people talking about getting into Crypto/Web3 are really just talking about doing appsec audits. More

Git in one image. More

A reminder that it’s somewhat strange to hold AI to explainability standards when most people can’t explain their own beliefs or actions. More

Rekt — A list of crypto-related security incidents. More

🔥  The simplest and most important dashboard for early-stage startups. More

[ DETECTION & RESPONSE ] AWS Canary Tokens — Sprinkle these throughout the environment and if someone tries to use them you’ll have strong signal you have a compromise. More | by Thinkst

[ OSINT ] Radar Interference Tracker — An open-source tool to locate active military radar systems. More

[ AVAILABILITY ] HaveIBeenExpired — Monitor your websites for expiring certificates. More

[ UTILITIES ] RGA — Ripgrep All: It’s ripgrep, but for tons of extra filetypes, including pdf, docx, sqllite, jpg, movies, etc. More | by Phiresky

[ REVERSE ENGINEERING ] A video tutorial on reversing and patching a crackmes.one binary. More | by Bursa Demir

[ OFFSEC ] SecLists is at Release 2022.1. More | Thanks to g0tmi1k!

RECOMMENDATIONOne of the best explanations for strategy I’ve ever heard is to find a really hard thing and to bring a solution that doesn’t yet exist. The worse the problem without being clearly articulated, and the better your approach vs. competitors, the better your strategy. So, if you run a small business, ask yourself this: “What big problem are we solving, and how much better is our solution than our competitors?”


APHORISM“The most personal is the most creative.”

— Martin Scorsese

I’m a huge Vim nerd, for hopefully obvious reasons, but one often finds themselves in need of a web browser. I use Chrome, and it has a plugin that I don’t think enough people know about called Vimium.

Vimium does exactly what you’re hoping for—it lets you use Vim commands in Chrome.

A more complete set of available commands

There are lots of commands available, but these are my favorites:

j — to scroll slightly up
k — to scroll slightly down
d — scroll half a page down
u — to scroll up half a page
r — to reload the page
yy — to reload the page
/ — to search on the page (followed by n and N)
T — to search within tabs

Use cases

If you only have a fragment in the clipboard, P will search for that fragment instead.

External URLs — You get sent a URL from somewhere like Messages, Signal, or Email, and you copy it to your clipboard. Simply ⌘-TAB to get to Chrome and then press P. This will open that URL in a new tab for you. So it’s 1) open a tab, 2) paste, and 3) press enter—all in one keystroke.Searching Tabs — You can configure Chrome to search within tabs but that requires that you get to the URL bar, search, and find your result. Using T you can do it from anywhere and the results are quite good.Scrolling — Reading a page with j and k is very familiar since I spend a good amount of time in Vim.Finding Text — Similar to scrolling, using /, n, and N to find, find next instance, and find previous instance are far more warm and fuzzy than ⌘-f and clicking through results.Summary

Vimium is a sleeper of an extension. If you’re a Vim user it brings some familiarity to your other most-used application—the browser.

I hope this helps a fellow Vim user get more efficiency and comfort from Chrome.

[image error]

SECURITY NEWSThe Biden Administration has formed a Cybersecurity board to serve something like an NTSB for breaches, and they’ll start by looking into log4j. More

Attackers were able to steal around $323 million in cryptocurrency by exploiting a web-based service called Wormhole. Wormhole is a system that allows one to transfer crypto between blockchains, specifically between Solana and other chains like Avalanche, Ethereum, Polygon, and others. The attack created a fake minting account that created 120,000 ETH coins on the Solana chain and transferred them out. This is a great example of where so many flaws just come down to failed logic when doing the basics. More | The Attack

Cloudflare has launched a paid public bounty program. More

The US is testing robotic patrol dogs along the Mexican border. People are upset not just about automated sentries on the border, but because the company that makes the “dogs” (Ghost Robotics) previously highlighted a similar robot with a sniper rifle attached to it. More

Canada is facing a serious security situation related to the Trucker Vaccine Protest, which has now turned into something like an occupation of Ottawa. It has January 6th vibes, and while I don’t know much about Canada, I do know enough to be worried. More in the Ideas section below. More | A Tweet Analysis

Vulnerabilities: Cisco Small Business RV Routers | Critical | Code Execution More Samba | Critical | CVE-2021-44142 | 9.9 | RCE More Google Chrome | 27 Vulnerabilities | High | More Poll: “Do you like this condensed format for displaying vulnerability information?” VoteCompanies: PlexTrac | Purple Team Management | $70 Million (they’re also a sponsor!) More MariaDB is becoming a public company. More
TECHNOLOGY NEWSMeta lost the most value of any company in history last week after announcing earnings. They lost users for the first time as well, and announced that Apple’s privacy changes will result in over $10 billion in lost revenue in 2022. More

Amazon now has a $30 billion advertising business. More

Amazon is raising the price of Prime from $119/year to $139/year. The last bump was in 2018 when it went from $99 to $119. More

Buzzfeed found the real names of the Bored Ape Yatch Club’s creators. They’re two guys in Florida. More

The IRS is facing pushback on them using ID.me to verify identities. People are evidently not super enthused about having to upload selfies to be able to pay their taxes. More

Amazon and some others are looking at potentially buying Peloton. More

A number of UK supermarkets are going to use cameras and AI to determine if people are old enough to buy alcohol. If they look under 25, they’ll have to show ID to a human. The goal of the system is to reduce line times by automating most of the checks. More


HUMAN NEWSPresident Biden re-instated the Cancer Moonshot program to accelerate progress against cancer. The goal is to reduce the death rate from cancer by 50% in the next 25 years. More

The lack of teachers problem is so bad in New Mexico that there’s an initiative to use National Guard troops as substitutes. More

Americans believe their overall quality of life, the ability for someone to get ahead if they’re working hard, and many other key satisfaction elements are significantly worse in 2021 and 2022 than in 2020. I personally see this as more evidence that Trump will be extremely strong in 2024. It’s not about reality; it’s about the perception of reality, and he’s a master at controlling that narrative. The top metric, for example, was the overall quality of life. It was rated as an 84 in 2020 and 67 and 69 in 2021 and 2022. More


CONTENT, IDEAS & ANALYSIS

The Rise of White Extremism in the US, Canada, and Europe — How I think January 6th and the Trucker Freedom convoy in Canada have a lot more in common than people think, and how I believe it’s part of a much bigger problem. More

Thoughts on Rogan and Redemption — My reaction to the Joe Rogan racism controversy, and a brief discussion of who deserves redemption and who doesn’t. More

The Irony of InfoSec’s Reaction to Crypto, NFTs, and Web3 — An argument that the InfoSec community should be more open to exploring technology that could shape our future, even when they have valid concerns and criticisms. More

Employee NPS Scores — I just had this article shared with me on the concept of simplifying employee (and manager) reviews down to a single question: “How likely are you to recommend working with [PERSON] to a friend or colleague?” Absolutely brilliant. The same goes for managers. “How likely are you to recommend working for [PERSON] to a friend or colleague?” As the article points out, there are tons of great rating systems that might eventually get you to this level of accuracy, but many of them involve multiple surveys, lots of interviews, and days or weeks to complete. This is one question, and according to the author of the article, it often yields the same results. Officially my favorite find of the week. More


NOTESWe now have a dedicated page for the UL Book Club! It covers how we select books, when we meet, and has a running list of all the books we’ve discussed in the past. More

Last month’s Book Club was tremendous fun, and the book, Project Hail Mary, was surprisingly excellent. I mean we thought it would be good, but many of us could not put it down. One of the purest executions of science fiction I can remember since The Three-Body Problem. And we’re reading that soon!

My great friend Mohsan Farid was just on the Bad Crypto Podcast. He talked about how he got into hacking, the different places he’s worked, as well as his company LedgerOps which focuses on blockchain security. Mohsan is an awesome hacker and a wonderful human being, and this is a great primer on what he’s up to. More | via The Bad Crypto Podcast
  SPONSORED DISCOVERY

Vanta: Key Differentiators In Security Automation Platforms
 There are so many compliance platforms on the market, yet not all are created equal. As the leader in compliance automation, we know exactly what features to look for when choosing an automated platform.

We’ve compiled a list of the biggest differentiators to check for  –  and we explain how each feature works in order to make your job more efficient as you go through the compliance process. Learn More About Vanta
DISCOVERYNeural.love — An AI that takes an old image and produces something that looks more like a photograph of the subject. For example, a crappy selfie, an old painting, etc. Submit them and get back a decent picture of the person. More

Runway ML — An AI-based video editor that allows you to remove backgrounds, remove subjects, and otherwise edit scenes with extreme ease. More

An extraordinarily in-depth post on the fundamentals of a good security program, by Phil Venables. More 

The Great Resignation Might Be Due to the Old Age of US Workers — A great piece on how old a lot of US workers are. The median age in the US is 38, but many professions have median ages closer to 50. More

Non-Security Things That Can Sink a Security Program | More | by Helen Patton

China had to make the snow for its Beijing Olympics, and it wasn’t easy or cheap. More

Google Slides is Hilarious More

Democracity Booklet, New York World’s Fair 1939 More

🔥 Managing People More | by Andreas Klinger

An epic zoom-in to the center of the Milky Way galaxy, culminating in a look at stars orbiting the black hole at our center. More

Ask HN: How Do You Deal With Getting Old and Feeling Lost? — Answering this question for other people is basically my life mission. If you feel like this, let me know so I can try to help. More

“You’re a better hacker if you know how to build the thing you’re trying to hack.” More | by Fabio Viggiani

Curl now has a JSON option! More

[ OSINT ] Favicon Map — Shodan’s database of favicons it’s found during its scanning. More

[ VULN MANAGEMENT ] OWASP WrongSecrets — An insecure app full of insecurely stored secrets. More
[ NETSEC ] Scanning Made Easy — A joint project between NCSC and i100 to create a collection of NMAP NSE scripts that function much like a unified vulnerability scanner. The Scripts


RECOMMENDATIONAny time you need to rate something (like employees, managers, products, whatever), and you’re overthinking with some elaborate system, consider using the NPS model. Basically, just ask one question: “How likely are you to recommend [THING] to a friend or colleague?” It might not be as good as your super-fancy system, but it might actually be better. And it’ll definitely be faster.


APHORISM“All gardeners live in beautiful places because they make them so.”

— Joseph Joubert

Canada is experiencing something like the US’s January 6th event in what’s being called a “Vaccine Protest” and a “Freedom Convoy 2022”, alluding to it being made up largely of truckers.

To my uninformed eye, this looks very much like the January 6th event (prior to the storming of the capital) because it seems to be about much more than just vaccines. My read is that this is actually conservative white Canadians banding together against heavy immigration in large Canadian cities, the feeling that the government is not working for “real” Canadians, etc.

If this is true, the vaccine stuff is just a surface-level catalyst. From my piece Frontview Mirror | 2021 Edition:

As demographics continue to change in Europe, the US, and Canada, expect increasing numbers of young white males to gravitate towards extremism as an alternative to being told they are guilty, worthless, unworthy of mates, etc. Anyone who will tell them that they’re valuable and attractive— and that they should be proud—will be irresistible to large numbers of them.

I believe this, along with China, is the single largest security problem facing the world in the 2020’s. Essentially, white people in the US, Canada, and Europe mobilizing against demographic and cultural changes they feel are robbing them of their well-being and pride.

This should frighten us, because when there is a lack of pride in a people, it leaves a vacuum for a Nationalism or race-based autocrat. Trump has been that person for the US. Who will it be for Canada and the various countries in Europe?

We need to find a healthy way to address this increasing loss of pride and rise in anger among young white people. Part of that solution has to be the tough-love message that nobody actually deserves anything, and that if you’re out-hustled by immigrants then you should expect them to get all the nice things.

In short, the Golden Age of white people was when they were immigrants, and if you—young white man—want what they had, then you need to think and behave like an immigrant as well. If you don’t, you will watch those who do get everything while you get nothing.

Whatever the solutions, we must start acknowledging the problem. There are millions of white people in the US, Canada, and Europe who think their countries are being stolen from them by liberals and immigrants, and they’re getting very angry. Some of them are already racist, some of them aren’t racist at all, but as the anger grows they’ll start sharing more and more of their beliefs as a unified “us” vs. “them”, and this will be stoked and weaponized by rising right-wing leaders.

Those leaders won’t be looking for a healthy release based on tough love. They’ll be telling the white people they deserve to be angry, because these are their countries, and that there should be plenty of jobs just like their parents used to have, but the immigrants have taken them all. It’s all bullshit. The jobs are changing and going away altogether. But those leaders will either not know that or not care. They will turn the white people in their audience into victims, and the immigrants into the enemy.

Along with the rise of China, this is perhaps the single biggest risk to healthy human civilization facing us in the next couple of decades.

This is UL Member Content

Subscribe

Already a member? Login

I wanted to put out some thoughts about the Joe Rogan racism controversy. A video surfaced recently of Joe using the n-word multiple times over the years on his show and elsewhere.

Joe has come out and apologized, saying he used to think it was ok for anyone to use the word, but now he thinks differently, and that the video looked bad even to him. He went on to say that he’s not used the epithet in years, and that he was very sorry.

I’ve not dug into it deeply, but my first impression having watched a lot of Joe Rogan in the past is that the guy is obviously not racist—at least as the person he is now and probably has been for like a decade or so. I judge this by the number of diverse friends he seems to have in his life and his relationship with people like Dave Chapelle. When he sits with his many diverse friends riffing on comedy and life for hours at a time, the love between them feels impossible to fake.

I think people can change. I think Joe is from Philadelphia, and I think he’s from a background where racism is normal and accepted. He also grew up in the early 80’s. In my mind those all add up to him likely being racist, or at least acting racist, in his past somewhere. And I doubt he’d disagree with that.

But people can change, and it seems clear to me that Joe is way different now than he was in the past. He’s largely a hippie at this point in the sense of giving love to people. He loves hearing about people’s stories. Lifting people up. This is what his show started as, and if you look at his guest list it’s pretty damn diverse. Those are his people. His friends. And his colleagues in his world of comedy and MMA.

The point of all this is to say that the 80’s was a different world when it came to racism. Hell, the early 2000’s were a different world compared to now. A massive portion of people reading these words has used epithets in the past, either out of hatred or to be funny, and in a way that would destroy their careers if it were public.

We have to start judging people for who they are today, not for who they were in the past. This is especially true since our culture has evolved so quickly in the last 10 years—forcing people to see the flaws in their previous behavior. We must give people the ability to evolve away from their previous selves and into a more open, loving, and considerate person.

There are disavowed white supremacists walking around today spreading love towards the people they hurt. We should reward and encourage that rather than discard or ridicule it because of who they used to be.

There are, of course, people who are faking their apologies, and those types should obviously not be forgiven. But thankfully I think it’s pretty easy for most people, and to the Wisdom of Crowds as a whole, to see the difference.

Join the Unsupervised Learning CommunityI read 20+ hours a week and send the best stuff to ~50,000 people every Monday morning.

It’s ok to hold someone responsible, and to demand a full apology from someone who’s been horrible in the past. Growing up in the 80’s, or around other hateful people, can be listed as valid explanations but never as excuses. 

But when someone does fully come around, sees how messed up they were, and truly apologizes and changes their ways—we have to embrace them as examples, not clobber them with their previous selves. We must, as a society, give flawed people a path to redeem themselves. Not for Weinstein. Not for Spacey. Not for people who have done too much harm or are unable to change. But in most cases—for most people. 

It’s time for the second phase of cancel culture. The first phase was a much-needed purge. I’m glad it happened, and we need to be ready to do it again if necessary. It refreshed us tremendously and upgraded our standard for acceptable behavior. There’s a name for cringing at movies from the 80’s and 90’s—it’s called progress.

But if the first phase was The Purge, this second phase needs to be The Redemption. It’s time to reclaim those who have actually felt the shame, honestly apologized, and done the hard work of improving themselves. 

We should absolutely celebrate perfect people who have never felt hatred or been a shitty person when they were young. But maybe those people weren’t perfect at all. Maybe they were just lucky to have non-racist parents and friends.

I’d argue we need to celebrate even more those who weren’t so lucky. The people who grew up in a racist neighborhood with racist friends and family, and who—despite all that—found a way to realize it was wrong and change their behavior.

Let’s make that the second gift of cancel culture. Like the presence of new flowers after removing the weeds.

There’s something strange about how our InfoSec community is reacting to cryptocurrency, NFTs, and Web3.

Mostly, it’s quite negative. And not dispassionate negative either—but a negativity soaked in ridicule and hate.

This is very curious coming from a community that includes so many hackers.

I think this comes from the dual nature of hackers themselves. On one hand, hackers are super open-minded and curious. They find everything interesting and can’t wait to learn about new things.

On the other hand, they’re also anti-establishment and anti-hype. Or at least, mainstream hype. Kind of like people who only like underground bands until they get popular. While it’s underground they’ll hype it all day, but once too many people like it they go find something else.

And that’s definitely happening with crypto and NFTs and Web3. Everyone’s talking about it. Everyone’s launching a coin, an NFT, or talking about how Web3 will solve all the problems. So I suppose it’s natural for hacker types to throw rotten fruit from afar.

But it still seems strange. I feel like the opposing force of curiosity and exploration should be strong enough to counteract that tendency.

We’re the security people. We should be walking the minefield before everyone else—to try to make it safer for the normies. We should be curious about it. We should be experimenting with it.

Hackers are simultaneously curious and skeptical, which is a great mix.

It might be total shite—at least some parts of it. And there’s definitely too much unhealthy hype around it. But that doesn’t mean the whole thing is rubbish.

If there’s even a moderate chance that decentralized computing, shared ownership of organizations, and digital validation of ownership will take off—which I think is a matter of when and not if—I think hackers should be fascinated by that. Like, holy shit, we could very well be in the BBS days of a new type of internet.

Join the Unsupervised Learning CommunityI read 20+ hours a week and send the best stuff to ~50,000 people every Monday morning.

And some hacker types definitely get it. Not everyone has gone negative on this stuff. I know lots of people who have been messing with crypto and NFTs and such. But guess what? Many of them are quiet about it because they don’t want to be ridiculed by their fellow InfoSec people.

It’s bad when hackers have to keep their curiosity about a new thing a secret from their own tribe.

We can do better.

All this stuff going on—putting aside the hype—could end up being a new substrate for everything, just like the internet in the 90’s. Or maybe not. Maybe it’s too early. Or maybe this tech won’t get us there. Or maybe it’s all crap. Who knows.

And I want to be very clear: it’s ok to find problems in things. It’s ok to warn people if you see danger. It’s ok to have a negative opinion about something. Obviously.

What I’m talking about is default hate towards anything new and strange. Like Cloud for instance. And now Crypto. Maybe they’ll work out, maybe they won’t.

But as security people—with the hacker spirit in many of us—I feel like we should be more curious and optimistic, and less prone to attack new things just because they’re strange.

It’s fine to warn, caution, and criticize. That’s part of our DNA too. But we should do our best to maintain a backdrop of optimism and curiosity when we do so, especially when looking at something with the potential to shape our future.

NotesFeb 2, 2022 — I did some slight softening of the post to make it more clear that I think criticism is fine, and even needed, but that I just don’t want us to lose the openness and curiosity aspects that make our culture so great.Moxie’s article on NFTs was an interesting example in that he didn’t completely bash the whole enterprise. He advised caution, and he did so after actually playing with the tech himself. A fellow security professional reminded me that this is similar to how security viewed the move to Cloud as well. And then all these years later nobody even notices anymore.Image from a Coindesk article by Annie Zhang.

There’s something strange about how our InfoSec community is reacting to cryptocurrency, NFTs, and Web3.

Mostly, it’s quite negative. And not dispassionate negative either—but a negativity soaked in ridicule and hate.

This is very curious coming from a community that includes so many hackers.

I think this comes from the dual nature of hackers themselves. On one hand, hackers are super open-minded and curious. They find everything interesting and can’t wait to learn about new things.

On the other hand, they’re also anti-establishment and anti-hype. Or at least, mainstream hype. Kind of like people who only like underground bands until they get popular. While it’s underground they’ll hype it all day, but once too many people like it they go find something else.

And that’s definitely happening with crypto and NFTs and Web3. Everyone’s talking about it. Everyone’s launching a coin, an NFT, or talking about how Web3 will solve all the problems. So I suppose it’s natural for hacker types to throw rotten fruit from afar.

But it still seems strange. I feel like the opposing force of curiosity and exploration should be strong enough to counteract that tendency.

We’re the security people. We should be walking the minefield before everyone else—to try to make it safer for the normies. We should be curious about it. We should be experimenting with it.

Hackers are simultaneously curious and skeptical, which is a great mix.

It might be total shite—at least some parts of it. And there’s definitely too much unhealthy hype around it. But that doesn’t mean the whole thing is rubbish.

If there’s even a moderate chance that decentralized computing, shared ownership of organizations, and digital validation of ownership will take off—which I think is a matter of when and not if—I think hackers should be fascinated by that. Like, holy shit, we could very well be in the BBS days of a new type of internet.

Join the Unsupervised Learning CommunityI read 20+ hours a week and send the best stuff to ~50,000 people every Monday morning.

And some hacker types definitely get it. Not everyone has gone negative on this stuff. I know lots of people who have been messing with crypto and NFTs and such. But guess what? Many of them are quiet about it because they don’t want to be ridiculed by their fellow InfoSec people.

It’s bad when hackers have to keep their curiosity about a new thing a secret from their own tribe.

We can do better.

All this stuff going on—putting aside the hype—could end up being a new substrate for everything, just like the internet in the 90’s. Or maybe not. Maybe it’s too early. Or maybe this tech won’t get us there. Or maybe it’s all crap. Who knows.

And I want to be very clear: it’s ok to find problems in things. It’s ok to warn people if you see danger. It’s ok to have a negative opinion about something. Obviously.

What I’m talking about is default hate towards anything new and strange. Like Cloud for instance. And now Crypto. Maybe they’ll work out, maybe they won’t.

But as security people—with the hacker spirit in many of us—I feel like we should be more curious and optimistic, and less prone to attack new things just because they’re strange.

It’s fine to warn, caution, and criticize. That’s part of our DNA too. But we should do our best to maintain a backdrop of optimism and curiosity when we do so, especially when looking at something with the potential to shape our future.

NotesFeb 2, 2022 — I did some slight softening of the post to make it more clear that I think criticism is fine, and even needed, but that I just don’t want us to lose the openness and curiosity aspects that make our culture so great.Moxie’s article on NFTs was an interesting example in that he didn’t completely bash the whole enterprise. He advised caution, and he did so after actually playing with the tech himself. A fellow security professional reminded me that this is similar to how security viewed the move to Cloud as well. And then all these years later nobody even notices anymore.Image from a Coindesk article by Annie Zhang.