Daniel Miessler's Blog, page 43

If you’re on InfoSec Twitter you’ve probably seen the recent iteration of the neverending debate around degrees, certs, and InfoSec.

Basically, one side argues that you need college to be taken seriously in security, and the other side says nuh-uh! and proceed to give lots of examples of people without a degree.

For more on this, see The False Dichotomy of Conflicting Ideas

Let me try to express something that applies to much more than this topic: When you have debates with multiple people making good points that are backed by evidence, the answer is likely that they’re all right to some degree.

And that’s definitely the case here.

Let me give you three facts:

Recruiting teams at major companies who are looking for cybersecurity talent are largely looking for college graduates. And they’re often looking only at top schools. There are lots of people with no college and lots of desire who can’t get a callback from a company that needs talent. Lots of the best people in InfoSec don’t have a degree or a cert.

These are all true. And they’re all true at the same time.

How is that possible?

Corporate recruiting teams are playing a numbers game, and they’re ultimately looking for safe bets. Getting accepted into a big, well-known school makes you a pretty safe bet, and graduating with a degree in computers from such a school makes you an even safer bet.

That’s for new people who don’t have lots of experience. Basically, if they have no knowledge of how well you’d do from looking at a career, they have to go by what they do have. So, on one hand, they have a top school and a good computer science program, and on the other hand, you have someone who seems eager but doesn’t have that—they tend to go with people with college.

That’s a fact.

But—and this is a huge but—the whole game changes when you are already known for being good at something, and/or if you know someone involved in the hiring.

If you’re a named person, who is famous for being able to find bugs, or manage programs, or run a community, you essentially get a VIP card for entry into the field. If people know you, and someone tells the hiring manager, well now they’re looking at your experience instead of your training.

That’s the trick: these are all just ways of finding a proxy for how well you’re likely to do. College is a proxy. Certificates are a proxy. Work samples are a proxy.

But the best proxy, by far, is experience. And being named is like experience with a gold star.

Anyway, that’s why both of these things can be true at the same time.

If you’re unknown to the world yet, and you don’t have any credentials, you’re not likely to be considered or targeted by corporate recruiting teams, and you won’t stand out even if your resume is seen.

Also don’t forget luck.

This is why it’s correct to say that having a degree in computer science is a good thing for getting into security.

But it’s absolutely not needed. If you’re bright and hungry enough, you can put yourself on the map, at which point nobody will care about your training anymore.

Both are true. The latter proves the rule of the former. Twitter is just really bad at this type of thing.

This Content Is For Paying Members

Subscribe

Already a paying member? Login

[image error]

SECURITY NEWS

The US has banned China Telecom over national security concerns. The fear is that they could use their infrastructure to access, store, disrupt, and/or misroute US communications. They must discontinue their services in the US within 60 days. More

US Intelligence agencies released a report on the origins of COVID 19. The FBI thinks it leaked out of a lab, but most other agencies think it happened naturally. None of the groups thinks it was created as a weapon. This matches well with the armchair analysis I and others in the UL community have done over these many months. Basically, the lab leak theory is unlikely, but it’s foolish to discard it outright without having good reason. More

MITRE and CISA announced the 2021 CWE Most Important Hardware Weaknesses List. Interesting list. Top hits were: Improper isolation of shared resources on a SOC, improper access control for on-chip debug and test interfaces, and improper prevention of of Lock Bit modification. More

NSA is hiring people for “cyber careers” with CS, C/EE, Intelligence, and Math backgrounds. More

The US is working with Taiwan to secure the chip supply chain. More

Incidents:  Zales.com had a data leak, like Jared and Kay did in 2018. MoreVulnerabilities:  Apple patches 22 security flaws in iOS 15. More Adobe patches over 90 issues in 14 of its products. MoreCompanies: Dargos has become Industrial Cybersecurity’s first unicorn after raising $200 at a valuation of $1.7 billion. More
TECHNOLOGY NEWSFacebook changed its name to Meta, and they’re spending at least $10 billion on it this year. More | My Analysis

Tesla got an order for 100,000 cars from Hertz, and the resulting bump in its stock price made it a $1 trillion dollar company. More

US regulators are looking at how banks might be able to get into crypto to avoid being left behind. More

After Apple’s stock dip from its earnings call, Microsoft became the world’s most valuable company. Not sure that’ll hold for long, though. More

If you have a Tesla with the latest update, you can now remotely stream video from your car’s cameras. More

Photoshop is about to get the option to prepare an image as an NFT. More

Microsoft is going to work with community colleges to fill 250,000 cybersecurity jobs. More

Tim Cook said Apple lost $6 billion due to supply chain problems, and that they’ll lose even more more this quarter. But they still crushed it with $83 billion in revenue, which is up 29%. More

Niantic just launched its new AR game, Pikmin Bloom, which is like a seed & plant version of Pokemon Go. You have to walk around outside, plant seeds, see them grow into plants, and journal about your activities. More

Patreon is exploring crypto as a way for creators to earn more money. More

Companies: Shopify’s quarterly revenue rose by 46% as people return to spending. More
HUMAN NEWSA new meta-analysis found that high levels of vitamin D3 are inversely correlated with COVID-19 mortality. I would add this to the list of “make sure you’re D3 is high enough”, but I’m not skilled enough with this science to read this paper properly and tell if it’s a slam dunk or just another drop in the bucket. What I can say for sure is make sure you’re not D3 deficient. More

Texas Republicans are looking to make Texas the center of the US crypto world. I guess this is on-brand, given the decentralized and counter-government vibes of advocating for a competing currency to the USD. More

A new study by the CDC says vaccination protects against COVID better than natural immunity due to infection. More

35% of registered voters in the US think the last election should be overturned. More


CONTENT, IDEAS & ANALYSISThoughts on Facebook Meta — This move by Facebook is genius on multiple levels, and I feel like the only way it can fail (at least completely) is if it’s too early. Full Essay 


NOTESI’m almost done with the new Pinker book, Rationality. Really, really, good. It’s like a massive collection of pitfalls for thinking clearly.

I’ve been watching tons of Vim content on YouTube. It’s pretty much Vim, Chess, and Table Tennis in my history. Yep, nerd central. Anyway, I highly recommend these two plugins (HT to The Primeagen) which have been much-desired upgrades. They give me fish-like autocomplete for commands, plus a really cool sytnax highlighting for in/valid commands while doing so. Also, I highly recommend lsd as a replacement for ls. More | Bad | Good


DISCOVERY  Is Korea the new cultural superpower? More

Shodan Trends — See trends in internet attack surface. More

Atlas of Surveillance — More

Slow Down, Finish Faster More

iFixit did a teardown of Apple’s out-of-stock polishing cloth. More

Repeat Yourself, a Lot More

The 37-Year-Olds Are Afraid of the 23-Year-Olds Who Work For Them More

Beyond Smart, by Paul Graham More

Threat Matrix CI/CD — A common threat matrix for CI/CD. More | by Rung

SSRFmap — Takes a Burp request file and fuzzes for SSRF. More | by Swissskyrepo

Browser Fingerprinting — A bunch of tech and discussion that will help you build a web scraper that will be harder to block. More | by Niespodd

Embark — The firmware security scanning environment. More | by e-m-b-a

MVSP — Minimum Viable Secure Product. A minimum security baseline for enterprise-ready products and services. More | The List


RECOMMENDATIONS

Conflicts with people we care about are too often caused by, 1) one or both parties not knowing what they want from life, or 2) one or both parties not honestly articulating what they want from life. Try your best to be good at both of those. Figure out what you want—what you really want—and be willing to ask for it from those you share your life with. This will polarize some relationships, but that’s ok. What remains will stand on a stronger foundation.


APHORISMS“All human activity is promoted by desire.”

~ Bertrand Russell

Facebook changed its name to Meta—which happens to mean “dead” in Hebrew. The change also morphs the big-tech acronym from FAANG to MANGA. So that’s fun.

As with most big ideas, half the internet thinks Meta is Jesus, and half the internet thinks it’s the Zune. This also applies to NFTs and crypto, and it’s too early to say for all three.

But for the metaverse (hard to argue meta isn’t the leader when it’s right there in the name) I think we’re missing an important point:

The real world is becoming increasingly hostile to regular people who do regular work.

I think the metaverse will be massive not so much because gaming and VR will be big, but because gaming and VR will be the only avenue to thrive for the bottom 80% of people on the planet.

This isn’t about virtual reality, it’s about alternative reality. As in—the alternative people will flock to when regular reality becomes unbearable.

How smart is that?

Not only are they building the obvious home for gaming, but they’re also building the future evacuation zone for everyone who can’t afford to thrive in meatspace. Which is most people.

I’m not one to say this, but it could be said that the billionaires are creating a world where the millionaires will reign in the real world, and everyone else will move to VR.

Big corporations will start providing the main services, like healthcare and delivering mail, and the government will just subsidize to make sure the people don’t revolt. The better the VR is, the quieter the masses will be. And I don’t mean this in an Orwell sense. I mean it in a Huxley sense.

Whoever controls that ecosystem—or even a major portion of it—is going to be something like god. It’ll be like AWS for a functioning society. They’ll have lots of SREs not so they don’t lose revenue, but so they don’t have riots in the streets.

I mean that’s a cool fiction story idea right there. There’s an outage in The Meta, which causes people to go outside of their houses and socialize, and while they’re out there they realize the rich people actually live here, and have a better life than they do. Hijinks ensue.

It’s a lot like waking from the Matrix actually, and realizing that you want real life instead.

Anyway, this is a smart move by Face-meta. It allows Zuckerberg to dodge the scrutiny bullets and become a quixotic futurist, and at the same time build the reality substrate for 80% of the planet.

This Content Is For Paying Members

Subscribe

Already a paying member? Login

The backlash against Wokeism will elect Trump in 2024.

I’ve been saying this since March of 2020, and I want to say it here explicitly: Wokeism will elect Trump in 2024. The extreme left is continuing to make the same mistake they made before 2016, which resulted in the first Trump presidency.

That mistake is the complete lack of empathy for those who think differently than them—namely, people who do not endorse the Woke agenda. Are a lot of those people racist? Are a lot of them sexist? Yes. But millions of them aren’t, and the fact that Wokeism treats them all the same, and as if they’re somehow worth less than smart people with good jobs who live on the coasts, will directly cause another Trump win in 2024.

Trump getting another term could literally dismantle our country. This is someone who is denying the results of a fair election, where the results were analyzed by dozens of groups, dozens of courts—including those run by Republicans—and no evidence was found of fraud that could have affected the outcome. Yet he still insists—like a Central American dictator—that the election was stolen.

Because of his willingness to place his own brand and interests above Democracy itself, he is a direct threat to the United States, and he will ironically be brought to power—again—by the same exact people who brought him in the first time.

Middle America and The South, i.e., the people who vote for Trump, need a non-Trump option that doesn’t make them feel like the backwash of our country. They don’t have one. They have Woke on one side, and a literal Authoritarian on the other. Of course they’ll choose authoritarianism. Authoritarianism in the name of Democracy. Isn’t that always the way Authoritarianism goes? The people attacking the capital were doing it out of patriotism. That’s a hell of a sentence. Attacking Democracy for patriotism.

Anyway, until we see a moderate, centrist option for the other 50% of our country, we’re going to see Trump and people like him having massive success in elections. And even worse, the adverse reaction to Wokeism will bring a lot of the center and left to vote for those candidates too—just to send the message that they don’t like the extreme left.

TL;DR: The extreme right and left are the problem, and the reason we’re in so much shit right now is that there are no center candidates that respect the 50% who are moderates in this country.

When the moderates have nowhere to go, they pick a side, and Wokeism is pushing far more people to the right side than the left. Quietly. Silent anti-Woke people. These are the people who will elect Trump in 2024. We had all the data to figure this out in 2016, yet here we are about to make the same mistake in 2024. We don’t deserve nice things, and we’re perilously close to losing the nice things we have.

This Content Is For Paying Members

Subscribe

Already a paying member? Login

This Content Is For Paying Members

Subscribe

Already a paying member? Login

[image error]

SECURITY NEWS

CIA Director William Burns says the agency is creating a new China Mission Center to counter to the overall threat from Beijing. “CMC will further strengthen our collective work on the most important geopolitical threat we face in the 21st century, an increasingly adversarial Chinese government.” More

CISA has issued warnings on threats targeting water and wastewater systems. More

Moscow metro has rolled out Face Pay at 240 train stations, which is a way for passengers to pay for their ride by just having their faces scanned. The tech requires no phone, no metro card, and no credit card, and privacy groups are worried it’s a mechanism for controlling the population. More

Havana Syndrom has hit at least five US families connected to our Columbian embassy. “People experience different things. Some hear grinding sounds. Some hear vibrations in their head. The whole situation is very bizarre.” More

Israel has developed a technology that can see live objects behind walls from over 50 meters away. It’s called the Xaver LR40, and it’s a portable system that can see how many objects are moving behind walls in real time. More

The Pentagon is looking to leverage AI to crunch and analyze massive numbers of data feeds in order to predict enemy action hours or days in advance. The names being used for this type of capability include, “information dominance” and “decision superiority”. I love the idea here, and it reminds me a lot of skin cancer diagnoses. It’s great to have this type of analysis happening constantly, in tandem with human analysts who can’t review as much, or as fast. At first the tech will be a low-signal data point, and then over time it might become the primary source with the human being the final check and filter. Exciting and scary stuff. More

Vulnerabilities:  Apache Tomcat DoS More WP Fastest Cache Plugin XSS and CSRF Data Extraction MoreCompanies: SpotAI raises $22 million to extract intelligence from security videos. More At-Bay raises a $20 million Series D to continue working on a continuous monitoring-based approach to cyber insurance. More Black Kite raises $22 million to do vendor risk management. They use the MITRE framework and Open FAIR to provide letter grades to vendors. More
TECHNOLOGY NEWSFacebook is hiring 10,000 people in the EU to work on the metaverse, which is basically their branded version of VR. More A Similar-ish Idea I Had From 2006

Coinbase is launching an NFT product later this year. The space is heating up for sure, and half the stories you read are either telling you its the next big thing or the biggest scam in the world. I’m 80% bullish, but still not sure if we’re too early. More More

Twitter now allows you to “soft-block” people by clicking on them and selecting “Remove this follower”. More

The US has taken the spot of top Bitcoin miner from China. More

Tesla has a new insurance policy that adjusts your premium using real-time driving behavior. But it’s only available in Texas. You still pay monthly, but what you pay is based on how you drive instead of your demographics. More

Sony is partnering with TSMC to build a new $7 billion chip plant in Japan. More

Magic Leap raised $500 million to build a new headset, even though the last one fell through completely. It’s supposed to come out in 2022. More


HUMAN NEWSThe US inflation rate is at 4.3%, which is a 13-year high. More

Around 4.3 million Americans quit their jobs in August, which is the highest number since December of 2000. That includes over half a million healthcare workers. More

This article is about just one startup, but I think the startup activity around the combination of psychedelics and therapy is going to be massive if/when substances like psilocybin and MDMA are approved. More


CONTENT, IDEAS & ANALYSISOpiates and Social Media Are Symptoms, Not Causes — A short essay on how I believe addiction problems often come down to a lack of direction and meaning. More

Lifecasting: What It Is, and How It’ll Change Society (2002) — My essay from 2002 on how everyone would be streaming their lives using phones/peripherals. I, um, got the timing a bit off I’d say, but I think some of the piece is still pretty good. More

Honest Signaling — I like this article’s approach to discussing NFTs, and especially this idea of “honest signaling”. Tons of people wear fake luxury products and there’s no way to tell at a glance which are real or fake. Imagine your eventual AR glasses being able to show that to you in realtime. As I talked about in my book, that is functionality we can guarantee will arrive because it’s been useful for thousands of years of our evolution. Few things matter more than being able to differentiate true and false signals of fitness/beauty. More


NOTESI bought the new Apple Watch on opening day (I short-camped for it), and I would simply say this: if you’re 1) a watch enthusiast, 2) an Apple fanboy, or 3) you don’t have an Apple Watch yet and you’re thinking about getting one—I’d go ahead and get it. It does present as really large, clear, and bright. But if you’re not in those categories, I’d skip this upgrade.

I finally got my sound diffusers from GIK Acoustics that I ordered about 6 months ago. They look pretty great, and I think they’ll help a lot with reverb in the studio. Image

I finally did what I’ve been talking about for a while and got rid of the monthly subscription plan. Not many subscribers were left on it, but if you were on it you’ve been migrated over to annual. The cost over a year will be less than half the cost ($8 vs. 20 per month).

I watched Squid Game with my girl this weekend. Not because I wanted to, but because it’s such a huge cultural phenomenon that I felt compelled. It was worth it, if only for that reason. I find all the Korean discussion of class warfare fascinating (see Parasite, Squid Game). I need to find some good analysis on everything that was being claimed or stated about society in the show. If you see any good writeups, let me know.


DISCOVERY  Remote Ham Radio More

NFT use cases that could go mainstream. More

OpenSea — An NFT marketplace. More

The Great Re-evaluation More

Sam Harris was interviewed by Scott Galloway at the Code Conference. More

DDOSify — A high-performance load testing tool. More

Building an end-to-end Kubernetes-based DevSecOps software factory on AWS (HT @ClintGibler for multiple links this week) More

The OSINT Treasure Trove More

ChangeMe — A default credential scanner. More


RECOMMENDATIONS

How to Take Over the World — One of the best podcasts out there right now, especially if you’re reading or listening to these words. It’s a combination of Hardcore History with extracted productivity tips from the world’s smartest and most productive people. More


APHORISMS“If you are everywhere, you are nowhere.”

~ Seneca

A number of years ago I read a book that changed everything about how I think about addiction. The book is called Lost Connections.

The main premise is this: the difference between a homeless person and someone living on the street not being able to get off of a street drug, and an everyday person who goes into hospital and takes way stronger drugs long enough to get addicted—but doesn’t—is that the everyday person usually has something to go back to.

The opposite of addiction isn’t sobriety – it’s connection.

Johann Hari

This blew my mind. The idea that it isn’t about drug, but rather the person’s presence of meaning—or not—that determines whether or not they get addicted to substances.

There are many variables here, and I’m not making blanket statements that are supposed to apply to every situation.

I see a lot of similarities with the current hysteria around opiate usage and people abusing social media. There’s a narrative that, “the opiates must be stopped!”, and that, “social media is killing our kids!”.

I don’t think they are. Are they good for you? They can be, when used appropriately. Are they being abused? Yes, clearly.

But I think the problem is ultimately what Hari talks about in his book. It’s the lack of something bigger than the drug or social media in peoples’ lives.

We’re in a crisis of meaning. People are empty. People are lost. We have girls pretending to have Tourette’s as a way to feel seen and/or become popular.

I would argue that the underlying cause for so much of what we see going wrong with our young people is simply a lack of direction and meaning. And I don’t blame them. I don’t even necessarily blame their parents, although that’s closer to the mark.

The real causes are obviously multivariate, but I believe they mostly exist at the layers of society and culture.

Like what are the instances of illness appropriation or social media abuse for children of immigrant parents who have instilled a strong work ethic in their kids, and who are striving for academic, artistic, and or athletic excellence?

I don’t know if that data exists, but bet these problems are far less common in households where the children get their direction from their peers and from social media itself.

Basically, my model is that a lack of meaning, direction, and strong social ties causes depression, and that depression then opens the door to addictions such as drugs and social media.

So, sure, maybe lets see if we can get some of this stuff out of circulation. But that won’t solve the problem.

What will solve the problem is having a cohesive narrative for how kids should comport themselves. A path. A vision. A direction. A moral foundation. And examples of how one should live a good life.

This is what kids need. Hell, it’s what adults need.

And if they don’t get it, they’re going to fill that void with something that isn’t good.