Daniel Miessler's Blog, page 44

I wanted to just capture some thoughts around vaccine mandates.

We’re seeing more and more rational people come out against mandates, citing personal freedom and an aversion to unquestioned governmental authority.

Fine. I get it. Sure.

In a vacuum, yes, it’s a bad precedent to just blindly do what the government says. And when you combine this with our universities and our media becoming more ideologically oriented, it starts paining a picture for some on the right.

The picture is this:

The media is completely sold out to the extreme left, and will only allow extreme left viewpoints to survive. Anything else will be ridiculed and/or cancelled.Universities are now teaching the same, which is churning out young people who bring that stuff into the workplace.Then we have the pandemic, which really isn’t that bad if you just let it happen and let people get natural immunity. It’s actually just another government control mechanism, designed to scare people into listening to the same left-leaning, Marxist-style government that is selling extreme left ideology in the media and the universities.

That’s a neat little package, and there’s a great word for it.

Specious.

The problem with the pandemic part of the argument is that it’s not backed by science. The scientific consensus is overwhelmingly clear that if we didn’t take the pandemic seriously, there would have been a lot more death. We’re at around 700,000 dead right now, but that could have easily been in the millions without distancing, masks, and vaccines.

We know this because we ran natural experiments. States like California did way better because more people distanced, wore masks, and got vaccinated. And states like Florida and Tennessee did worse because they didn’t. We saw it happen right in front of us, and it’s well documented in the statistics.

The New York Times publishes all their data and its sources on Github.

Now, you can say you don’t trust the data, but if you don’t accept evidence then there’s no evidence I can offer you to fix that situation. Data from the New York Times is just pulling from the various state and local jurisdictions. It’s not like they have their own Liberal/Federal source of fake data. Their data is as real as it gets.

That data shows, and we saw in real-time, that the states that followed the guidance did the best. This was true around the world, and it was true in the US. Distancing works. Masks help. And vaccination has been a miracle for avoiding symptoms, hospitalization, and death.

All this to say, to the moderate conservatives, ok—I get it. You don’t like the crazy far-left politics. I get it. It annoys me too, and I am pushing for a more center-focused politics as well.

But don’t conflate that with the virus and the effect it’s had on people. Sure, you can argue about mandates and politics and stuff there. In other words, how we reacted to the virus. But don’t allow yourself to be swayed on the basics.

The basics are:

This thing is really bad.It’s killed 700,000 people.It likely would have killed many times that if we did nothing.

This is completely separate from our reaction and whether or not it made perfect sense in every case. It didn’t. We made it up as we went along in many cases. But distancing, masking, and vaccines are the solid parts of the equation.

It’s true that we could have done nothing, and humanity would have survived. But the economy might not have. If say, 2 million or 5 million people died, or maybe 10 million—just in the US—that’s a small number relative to our total population, right?

That’s what some on the right believe. And it’s somewhat true. We’d still be here. And we’d have some kind of immunity afterwards as well. So that is one way of doing it. But there’s no way of knowing whether the economies of the world would survive that. And it’s not a very American way of doing things either—to just walk straight into the slaughter of millions when we have the weapons to fight, i.e., policy combined with vaccines.

And that brings us to mandates for vaccination.

Vaccination only works properly if enough people do it. So this is a canonical case of where personal freedom collides with the greater good.

It should be 100% possible for a moderate Republican to simultaneously say:

The media is biased far-left.The universities are biased far-left.Some of the stuff that came out of the WHO and the CDC was sketchy.Something is up with Fauci and the way he divulged what he knew and when.BUT, the basic guidance that the CDC gave was right.BUT, the basic guidance that Fauci gave was right.BUT, we absolutely would have had millions of people dead if it weren’t for doing that guidance and getting vaccinated.

You can, and should, hold both of these lines in your mind at the same time. They are not in conflict. Believing 5-7 does not make you a liberal. And believing 1-4 does not make you a conservative. Life is complex and messy.

Smart and thoughtful people are able to assemble their own beliefs from many other sets of beliefs. You don’t have to pick one camp and believe everything they believe.

So I ask you, my friend the moderate Republican, be willing to say that blindly following the government is bad, but that in this case, given the risks, the good of the many does in fact outweigh our individual freedoms—just for this one issue—at this one moment.

That doesn’t mean we forfeit individual freedom, and it doesn’t mean we blindly trust the government. Our country is based on not doing that. Or at least it’s based on not blindly trusting in all cases. So that’s good. That’s healthy. Keep it up. We love you for it.

But we have the data. It’s right there. In this case, and in many others in the past and in the future, the government is actually correct—at least directionally—in pushing people to vaccinate. It’s a public-good thing, and the public-good is also part of being a good American.

America first doesn’t mean each of us first, it means the country first. As a group. As a whole. And that’s collectivist, not individualist.

Please think about it.

This Content Is For Paying Members

Subscribe

Already a paying member? Login

In any sufficiently high-pressure situation, weakness is indistinguishable from evil.

This sentiment is written to mirror Arthur C. Clark’s statement about technology, but the structure fits well.

In these decades I’ve lived, I’ve seen thousands of situations where someone is causing pain to others—not because they want to—but because they’re broken.

I used to draw a firm line based on the ultimate cause, i.e., are they doing this because they’re a bad person, or are they doing it because they’re in pain and suffering themselves?

In my later analysis, however, I’ve found that it doesn’t matter much. The real question is whether or not you can help. If one can, I recommend trying, so that eventually you can dig out the person who you know they can be.

But if they refuse help or the damage is too great—and they continue harming themselves and others—you may need to separate in the same way you would from someone who is naturally ill-intentioned. A smart and damaged person often takes on many of the characteristics of evil, and when you’re the target of such attacks and manipulation the difference in ultimate source becomes academic.

This is one of the great lessons in life that nobody formally teaches.

Broken people can cause nearly identical pain to evil people, and it may be just as necessary to distance yourself from both.

The main question to ask in this situation is this:

Can you actually help, and how much effort can you afford to spend on doing so?

A big part of this is often whether or not they want help.

If you do your research and come to the conclusion that you can help, make sure you can pay the cost. Make sure your own sanity and the health and happiness of those around you can absorb the effort. If they can, then putting forth that effort, even at great cost to yourself, is likely to be one of the best things you ever do.

But if you can’t help, for whatever reason, you’re better off separating yourself from the problem. Namely, them.

This is hard, but if the person is emotionally harmful to themselves and others, in a chronic and unfixable way, you can think of it like a hurricane or a Grizzly bear. You’re not mad at them. You’re not blaming them.

You just can’t be close to it because it’ll hurt you. Bears and hurricanes aren’t evil either, but they cause damage just the same.

Watch for people who turn into these things in your life, and make the difficult decision to separate when needed.

NotesUltimately, because I don’t believe in Libertarian free will, I don’t believe in “evil” people either. I see evil as a practical effect in reality, as opposed to an authentic source for action. In short, truly evil people like Manson or Bundy or whoever are just a combination of material bits that got assembled in some configuration, combined with an environment that acted on them in some way. The result manifests in a way that we call evil, and I think it’s a useful term. But it’s not a good description of an actual cause.

SECURITY NEWS

600 journalists combined efforts to investigate a massive network of offshore banking and shell companies that allows the world’s most rich and powerful to hide their assets from authorities. This includes heads of state, other politicians, and celebrities. It’s being called The Pandora Papers, and includes around 12 million documents from law firms and various media outlets. More

CISA has released a tool to help organizations combat insider threats. It helps companies assess their insider risk and determine what they need to set up a program. More The Tool

NSA and DHS say foreign attackers are attacking VPN systems, and they have provided new guidance on how to lock them down. More Guidance

YouTube has blocked all anti-vaccine content. More

China has sent 77 planes into Taiwan’s defense zone over the last two days. More

Thousands of Coinbase customers had crypto stolen due to account takeover. They used a flaw in Coinbase’s SMS-based MFA to send themselves authentication tokens. More

Rob Joyce, director of cybersecurity at NSA, says almost every country has an offensive cyber capability. More

Neiman Marcus sent a breach notice to 4.3 million customers. More

Vulnerabilities:  QNAP patched critical vulnerabilities in QVR software. More fail2ban has an RCE vulnerability. MoreCompanies: Cloudflare is getting into email security by offering SPF and DKIM, as well as email routing that lets you control and consolidate email addresses. More Cyberinsurance firm Coalition raises a $205 million Series E. More
TECHNOLOGY NEWSCloudflare is launching an object storage service to compete with S3, and they’re calling it R2 because it’s “one less than S3”. Its main claim to fame so far is that, unlike S3, it will not charge customers for egress traffic. More

PWC says all 40,000 US employees will be able to work remotely forever. More

TikTok now has a billion monthly users. More

The US Army has funded a sleeping cap that cleans the brain. It works by controlling the flow of fluid that is believed to cleanse the brain while we sleep. More

Deepmind can predict the location, extent, movement, and intensity of rain 89% of the time—out to around 90 minutes—which is signifcantly better than any other model. More

Companies: DNA-based data storage platform Catalog raises $35 million. More
HUMAN NEWSWhen listeners pay close attention to stories, their heart rates synchronize. More

Many countries are struggling to keep up with surging energy needs resulting from the COVID economic recovery. Energy prices are high in Europe, China, and the US due to increased demand and a supply that isn’t keeping up. There is speculation that this may have been a contributing factor to China banning cryptocurrencies. More

Researchers at Mount Sinai have found that EKG results can indicate which patients are more likely to decline and die from COVID, up to several days in advance. More

Britain is struggling with shortages of fuel and food, especially in rural areas, due to the effects of Brexit. The issue is complex, but Brexit essentially made it more difficult for immigrants to work in the country, so many of them left. And it turned out that those immigrants were the ones doing most of the truck driving that was getting things like fuel and food from one place to the next. So Britain basically said they didn’t want the immigrants there, while most also didn’t want to do the jobs those immigrants were doing. And now they’re suffering the consequences. More


CONTENT, IDEAS & ANALYSISPodcast Setup Update (October 2021) — A short write-up on my new—and likely to be relatively static—podcasting setup at the new place. More

Pelosi Capital Management — An investment strategy based on buying whatever Nancy Pelosi buys. I’m bothered I didn’t think of this. Or more specificaly, I’m bothered I didn’t ask the key question behind it. “What entity has access to the best possible investment advice at the top of the food chain, yet also has to disclose their investments publicly?” That would have revealed the answer of “Congress.” Shame on me. More The Twitter Account

Systems vs. Goals — This is a very good piece about how you need both systems and goals to be successful. This is a strike-back at books like the one from Scott Adams, where he says systems are far better. I think the answer is somewhere in-between. For day-to-day, month-by-month, systems are far more important. But for planning, goals are more important. The key then is 1) ensuring that you have both, and 2) ensuring that your system is helping you acheive your goals. So it’s not a competition; it’s an interaction. Like diet and exercise. Or mental and physical health. That being said, if I had to choose, I’d probably choose systems because—assuming it’s a system that keeps you healthy—you’re more likely to be able to find your goals using it. Versus having no system and a bunch of theoretical goals that you never took action on. In that situation you can wake up in your 50’s and realize you haven’t done anything. So I’d say that’s worse.

NOTESA Brief Defense of My Own Podcast — I want to take a moment to defend my podcast from continued attacks from a particular individual. And that person is…me. I just realized that every time I show someone my podcast, or get asked about it, I always lead with how it’s dry or sterile or whatever. But really useful! Through some other reading I’ve come to identify this as negative behavior, and there’s a simple test to see how bad it is—I’d never talk about someone else’s podcast in this way, at least not without also highlighting its strengths as well. Yet here I am having never once described why anyone should listen. So let me do that. My podcast is not the most exciting, and it’s not the funniest, and this is on purpose. First, excitement and humor are difficult to do consistently, and they’re really bad when they go wrong. Second, they simply add bulk to the product. Then there’s the fact that excitement and humor usually involve multiple people on the show. That’s really hard to do, especially consistently over multiple years. The more people the more chance for someone not to show up, not to have a good show, etc. So, my formula is simple: a concise, dependable show format, delivered by me alone, pretty much as quickly as possible. I also recommend you listen at 1.5-2.5x. At that speed you get a pretty damn good summary of security, tech news, and goings-on in the world—in around 10 minutes. Plus regular helpings of original thought about the stories and their impact on society. The reason I make this show is because if it already existed I’d be a fan. It’s the show I wish were available somewhere else. So, yes, you lose some things with this concise and direct format, but I would argue that the value makes up for it. So, yeah, that’s why you should listen to this, which is weird since you already are. And if you ever hear me bad-mouthing my own show, do me a favor and slap me.

I just created two different versions of the podcast—one for members and one for everyone else. The standard version stops after the first three news sections for even episodes, while the member version has all the other sections as well, including Content, Ideas, and Analysis, Notes, Discovery, and the Recommendation and Aphorism of the week. The goal was to stop giving the entire show to everyone via audio when members subscribed to get access to that same content. So basically, on odd episodes, everyone gets the full podcast and newsletter. And on even episodes, members get the full podcast and newsletter, while non-members don’t get the newsletter and the podcast is an abridged version that doesn’t include the analysis and discovery portions. Let me know if you have strong feelings about this, and even better just subscribe so you won’t notice.

I’ve been asked a few times what content goes in my Ideas section vs. the Discovery section. Simple—bolded items in the Ideas section are links to my own full essays. Non-bolded entries in the Ideas section are my own thoughts or analysis on something, but in short form right there as a single paragraph. And cool ideas from others, with no analysis, are links in the Discovery section. Hope that helps!

Currently reading Jordan Peterson’s latest book. I’m a 70% fan of Peterson. I love and respect him. But I often disagree with his positions. And his writing is hard to consume. Still, I find him genuine and entertaining, and most of all—working from good-faith.

I just bought The Wires of War. A serious contender for next the next UL book of the month I think. More


DISCOVERY  /r/netsec’s Q4 Hiring Thread More

Where Have All the Sex Scenes Gone? More

Always Multiply Your Estimates by π  More

Pelosi Capital Management — An investment strategy based on buying whatever Nancy Pelosi buys. More

Don’t ask to ask, just ask More

Someone took a new Rivian electric truck into the mountains for a review. More

“google’ is the most-searched word on Bing. More

Big Orgs Are Broken Due to the Prisoner’s Dilemma More

Workers are leaving Zoom to go back to the office, where they get back on Zoom. More

Securing Your Git Commits Using FIDO2 Keys More

10 Types of Web Vulns That Are Often Missed More

tmux & ch.sh More

FAV/E — Utilizes NIST CVE to find vulnerabilities and exposures based on various criteria. More


RECOMMENDATIONS

If you like Star Wars or Anime, to any degree, you must check out Episode 1 of the new Disney+ series called Star Wars Visions. It’s without question the best Star Wars thing I’ve ever seen. Can’t say more. 


APHORISMS“We reach each stage of our life as a novice.”

~ Nicolas de Chamfort

I have a number of posts on my podcast setup for Unsupervised Learning, a show I’ve been doing since 2015.

Or as permanent as anything can be these days.

This one is different because I’m in my permanent setup at the new place.

Current gear

The gear I’m using for this setup has been mentioned before, and I’ve used it before, but not in this combination.

The Neumann 87 Ai Condenser Microphone More

In my previous place, a small apartment with hardwood floors, the audio situation was horrendous so I couldn’t really use a condenser microphone—much less a Neumann. So I was using a Sure SM7B, which is a fine choice no matter what. Many top podcasts uses that mic when they can use anything, including Rogan, Sam Harris, and actually most big podcasters.

I prefer the crispness and liveliness of the Neumann condenser though. Or at least I do right now. If I had to summarize, the SM7B takes some of the character out of your voice and adds in some awesomeness. The Neumann U87 Ai extracts every little detail from your voice, and brings it to the front. So it’s a completely different sound but I currently like the latter.

The Apollo Twin X Audio Interface More

I have been alternating between this device and the RODCASTER PRO podcasting rig for a while now. Mostly to try to solve my audio issues in the apartment. I prefer the Apollo for day-to-day audio management, and for listening to music, so the only reason I was using the RODECASTER was because I was having some audio issues with the Apollo when podcasting. Namely, I was having trouble controlling echo and such using the complex stack of plugins and DAWs.

What I’ve done now is just taken those things out of the loop. I’m now just going raw mic into Hindenburg.

The Hindenburg podcast application More

Hindenburg is like a Tesla. It doesn’t do nearly as much as other top-end cars, but what it does do it does really well.

It’s far simpler than other DAWs, just as Teslas are vastly simpler than, say, BMWs. If you like a pretty interface with a million knobs and colors, you won’t like Teslas or Hindenburg. But if you like a DAW that does the core functions very well, this is the way to go.

The Acon Digital Deverberate plugin (for echo) More

I’ve tried probably five echo plugins over the last six years. This is the one I always come back to, and although I need it less in my new studio that has carpet, I still keep it in my chain.

The iZotope Nectar 3 plugin (compression and noise gate) More

I’m a huge fan of iZotope stuff, and this Nectar 3 Plugin turned out to be exactly what I needed just now for my latest podcast setup.

In my previous stack I had the RODECASTER PRO, which has a noise gate built into it. It worked quite well and best of all it was a hardware feature. When I switched to the Apollo/Hindenburg stack I lost that noise gate, which is much needed because the Neumann picks up everything.

So I added the Nectar 3 plugin with some compression and a noise gate that not only takes out any background noise from AC or whatever, but it also removes breathing sounds and even mouth noises. This is so important if you want to maintain high voice quality without having tons of unwanted breathing, clicks, and pops in your shipped product.

Next steps

The final thing I’m doing for my studio is adding sound dispersion and absorption. I’m ordering some GIK products that are art pieces for the walls as well as bass traps for the corners. Those combined with the carpet and added furniture might give me enough treatment to get rid of my de-echo plugin.

Summary

If you have a pretty quiet room and the funds to invest, I’d say this is a really solid stack for producing a show.

It’ll give you NPR-level voice quality combined with near-professional-grade (and automatic) removal of the noise between words and sentences.

Hope this helps someone on the same journey.

This Content Is For Paying Members

Subscribe

Already a paying member? Login

[image error]

SECURITY NEWS

Apple did an emergency patch last week for a zero-day NSO exploit that installs its Pegasus tool. The attack affected every iPhone, iPad, Mac, and Apple Watch. The attack came in via Messages, and once installed, the software gains full control over the device. Citizen Lab alerted everyone to the issue, and the story is applying even more scrutiny to the NSO Group, which is an Israeli company that sells this software to governments all over the world. More

Researchers have compiled a list of vulnerabilities used by ransomware gangs. They include Pulse Secure VPN, Citrix, Exchange, Fortinet, SonicWall, F5, Palo Alto, QNAP, Sophos, SharePoint, Windows, Office, vCenter, Accellion, FileZen, Atlassian, Zoho, and Azure. More

Indonesia says at least ten government ministries and agencies, including systems from their intelligence service, have been compromised by a Chinese threat actor Mustang Panda. More

You’ll soon be able to sign in to your Microsoft accounts without a password. Instead, you’ll use Microsoft Authenticator, Windows Hello, a security key, or a login token sent via SMS or email. More

China disappeared one of its biggest celebrities from the internet. Her name is Zhao Wei, and she’s basically the Reese Witherspoon of China. Everyone knows her, and she just got Thanos snapped out of existence. She can’t be found on search engines, video sites, or anywhere. She was basically erased from Chinese history. This happened as China is in the middle of a crackdown on celebrity itself, which they say is unhealthy. It’s not clear what she did to anger the government, but it could be that she was simply too big and they wanted to make an example. I imagine a lot of celebrities in China are about to suddenly be very patriotic, and I imagine that’s exactly the point. This is the size of the weapon China is using in their Culture War 2.0. Erasure of Self. No matter how big you are. If you’re not sufficiently pro-Party. More

Vulnerabilities: Adobe, SAP, Microsoft, Chrome, TravisCI, Netgear Smart Switches, 

Companies: Neosec raises $21 million to do API security. More Identity startup Persona valued at $1.5 billion. More
TECHNOLOGY NEWSThe Apple September Event: As someone who used to work in security at Apple, I’m extremely pleased that many of the rumors were wrong, which hasn’t happened in years. I saw the announcements as solid evolutions—much like an “S” release of the past. This piece says the 13 is a pitch-perfect 12. The two things I’m excited about with the phone (I’m getting the blue Pro) are the camera and the screen. I’ll also be getting the new watch when it drops, but I’m disappointed we didn’t see more watch faces. More than anything I’d like to see more creativity and flexibility there. Watch-wise, what I’m truly looking forward to is a round face. Who knows if that’ll ever happen.Like 80% of web backends are written in PHP. Still. In 2021. The next closest competitor? ASP.NET, at 8%. Stunning. More

Intuit is buying Mailchimp for $12 billion dollars. More


HUMAN NEWSA company called Amdocs did a study that found that around 30% of GenZ and Millenials have thought about switching jobs, but only around 15% of GenX and Boomers. So, around half. More

We finally figured out what made the Stradivari violins the best in the world after all this time. They were made from 1660 to 1750 and we’ve been unable to match their quality ever since. Turns out, it was the varnish. More

Women are nearly half of new gun buyers. More

Not sure how much this is anecdote vs. data, but Dr. Andrew Huberman says a colleague of his told him around 25% of students age 16-32 take unprescribed Adderall, and 5-10% also take Modafinil or Armodafinil. More

Some rich people are counting their antibodies. More

Antibody treatment is getting really popular, especially among those who don’t want to get vaccinated. The irony is that the treatments are quite new, and are basically cloned antibodies from Regeneron and Eli Lilly, which are companies not unlike Pfizer and Moderna. They’re happy to sit in a chair and be injected with cloned antibodies from a couple of pharma companies, but think it’s crazy to get a vaccine that teaches your body to make the antibodies yourself. Ultimately it comes down to conservative talk radio and podcast hosts promoting the latter and not the former. In other words, this country is doomed. More
 
California has the lowest COVID case rate in the country. Meanwhile, Alabama reported more deaths than births for the first time in its history. More More


CONTENT, IDEAS & ANALYSISIt’s Time for Vendor Security 2.0 — My essay on our broken approach to vendor security, and what I think we should do to fix it. More

The Is-Ought Problem and the Ship of Theseus — How human perspective might be the missing piece to solving a number of timeless philosophy problems. More

My Thoughts on the OWASP Top 10 2021 — My analysis of the new OWASP Top 10 for 2021. More

Why People Aren’t Going Back to Work — This is a brilliant, video-based argument for why many people might not be returning to work. Essentially, because of millions being laid off from the COVID recession, people are figuring out most jobs are not dependable, and that illusion was the only reason they were willing to take so little pay in the first place. I think this is definitely a factor, but I think the percentage of people who are going to start a business and pursue their dreams is much lower than this person thinks. Many more will just decide to stay out of the job market as long as possible, i.e., by moving back home, living off a partner, etc. Combine those with the stimulus money, and I think you have most of the explanation. More

Unemployed Spies — There have been several stories now about former spies being hired as consultants in repressive regimes to track down dissidents. It’s starting to remind me of the Iraqi Republican Guard situation during the wars. We walked in and just disbanded the entire group, and what do you know—they became a major problem for us. The point is that I’m sure they’d rather have been doing something else, but working against their own government became lucrative and their kids had to eat. This is less extreme of course, but we seriously need to think about how to maintain moral employment for people with highly valuable and highly morally sensitive careers. Spies. Assassins. Etc. You can’t just train these folks up and wave goodbye at the end of their terms. Well, you can, but they might go work for a frenemy. And that’s exactly what we’re seeing. There should be some sort of permanent home for these types, in a friendly capacity, so that they don’t feel pressured to take their skills elsewhere. And that should be required to even fund and run the program in the first place. More


NOTESI am seriously loving Sean Carroll’s The Big Picture. The concept of Poetic Naturalism really resonates with me. As does the idea of Effective Theories, which is basically a model of the way things work that will never change, even if we get better explanations for physics later on. More

I’m now knee-deep in the UL Book for the month, which is Mastermind. Book Club next Sunday! More

I’m looking for a new fantasy series. Suggestions welcome. 


DISCOVERY  [ Sponsored Discovery ] Semgrep — As someone who’s been in Application Security for over a decade, I personally believe that Semgrep is the future of static analysis. That’s how excited I am about this tool. It’s been on my radar for a while now, I’ve talked about it before here on the show, and my friend Clint Gibler of TLDRSec also works there! Essentially, it’s a framework for searching for things you care about within code, within configurations, etc., and it’s wicked fast. So pretty much anything you want to check for, you can write a YAML rule for and integrat it into your workflow. It supports over 17 languages and is powered by over 1,000 community rules. If I had to rate my top security tools of the past few years, and make predictions for impact into the future, my top two would be Nuclei and Semgrep. If you do anything around static analysis—seriously—take a look. More Get Started

Don’t be the Insecure Interviewer More

A Housing Theory of Everything — The idea that unaffordable housing is a meta-problem that causes most others. More

Men are giving up on college. More

Every engineer should do a stint in consulting. More

A Threat Intelligence Kanban Board More

Write Something More


RECOMMENDATIONS

James Clear’s newsletter is one of the few I look forward to every week. It’s just a few quotes, and it’s extremely concise, positive, and thought-provoking. Sign Up


APHORISMS“Of all forms of caution, caution in love is perhaps the most fatal to true happiness.”

~ Bertrand Russell

In a previous post, I claimed to have a solution to the Ship of Theseus thought exercise.

The solution is perspective. When you ask whether something is different or the same, the answer is that it depends on where you’re sitting and how you see the world.

If you’re one of the planks on the ship, or someone who cleans the ship every day, the ship is probably not the same. But if you’re someone who gets a promotion every time the ship shows up, it is still the same ship to you.

I’m reading The Big Picture by Sean Carroll right now, and in it he introduces a concept called Poetic Naturalism, which is the idea that there are multiple valid ways of describing something—again—depending on who’s doing the describing—and depending on what’s useful within their context.

An example of this that I’ve used before is the concept of an airplane wing. If you’re talking about the layer of subatomic particles, or chemistry, there is no wing. It’s just atoms and quarks and such. But if you’re an airplane mechanic, wings are quite real. The answer to which is correct comes down to this: They both are—because both are useful within their context.

Another example is the human body and one’s identity. Our bodies are constantly being remade through cell destruction and growth. And our memories—which are at the center of who we are—are constantly being deleted, reinforced, rearranged, and adjusted as we sleep. If you’re looking at the level of atoms or even the level of biology, we literally wake up a different person every day. In fact we’re different from minute to minute. But we don’t consider ourselves different because the primary observers—ourselves and other humans like us—don’t see that incremental change as significant.

That brings me to the Is-Ought problem problem. Although the book doesn’t talk about it, reading it got me thinking about puzzle in the same way. Is-Ought is an argument spawned by David Hume that it’s nearly impossible to determine what someone should do from looking at the world as it is. Or, put another way, it’s hard to move from descriptive statements to prescriptive statements.

I’ve not seen this argument in 15 years of reading on this topic.

I think the Is-Ought distinction is explainable in the same way as The Ship of Theseus.

Essentially, both need a third party to provide clarity. They both need a perspective—an observer—to cut through the confusion. For the ship, you cannot say whether it changed or not unless you also ask, “To whom?”

I think for Is-Ought, the analogous perspective is a human purpose.

It’s a goal or a desired outcome—-a statement that we’re trying to accomplish X for humanity. Examples include trying to reduce the number of people who are suicidal or depressed. Or reducing world hunger. Or improving the long-term happiness of a population within a country.

Not a perfect analogy because a magnetic field applies a force rather than providing a perspective, but still apt I think.

Applying a goal in this way is like applying a strong magnetic field to a table full of iron filings. The fillings are the IS, and they take on the pattern of OUGHT due to the external entity.

This is how to cross the gap between Is and Ought in a human context. And the irony is that Sean Carroll and Sam Harris have actually debated a similar topic, with Sean saying it wasn’t possible to use science to pursue moral questions.

What he was objecting to specifically was Sam’s Moral Landscape, in which Sam says you can bridge the distance between Is and Ought by applying science to a human problem. I suppose it would make sense that Sam’s work gets closest to this, given that he has been the most influential thinker on me since 2005 or so.

Effective theories will always be valid even if our understanding of underlying physics gets updated and improved.

It’s very strange that Sean doesn’t see the power of this perspective shift. Especially given his wonderful concept of Poetic Naturalism and his explanation of Effective Theories.

Much of his book is about how different ways of thinking about things are valid based on the level and context in which they’re observed. It’s not that far of a jump to realize Ought is just another instantiation of that.

Put another way, Ought = Is * Human Purpose.

So, no, you can’t get Ought from Is, but you can if you have a human purpose. Importantly, in order to establish this link, or to apply what’s in the Moral Landscape, you’ll need a society that’s advanced enough to apply science to extract the variables here.

Let’s take an example.

Let’s say we want to increase happiness for a population of highly depressed people in a country. And let’s say we have a super-advanced science function somewhere to do the work, as well as 100,000 years to conduct experiments, gather data, etc.

So, we have a measurement of their happiness, and we have measurements of attributes of the society. Measurements such as how open and free it is, views on sex, politics, the role of government, the role of religion, etc.

Let’s say it’s a highly repressive government that doesn’t educate its women, they don’t allow you to smile for three days a week, and they worship Fraun: the Goddess of Celibacy.

What a science-based approach could do is start trying different things in this society. They could move to a different kind of religion. They could educate everyone and pursue gender equality. They could start having recreational sex with each other. Or they could become a nation of hippies that believe nothing.

Over the course of centuries, given the right application of science, you could theoretically (for the sake of argument) try lots of different combinations. Maybe some experts thought you just needed to have a different god. Or that you needed more education. Or that they should increase no-simile days to 6 days a week.

The point is that they could try many of the major combinations of the variables on different places on their spectrums—all the while continuing to measure the happiness of the population. Keep in mind, some changes would produce some happiness for a few decades, and would then turn worse than the previous system. And some would look worse for a while and end up producing more happiness in the long-term.

Now, let’s say it’s 43,721 years later, and we’ve tried countless iterations and ended up with lots of societal configurations that each have their respective Population Happiness Scores (PHS’s).

Given another similar society, which is now asking for similar help, the question is this:

What should that society do?

We’ve learned a whole lot about Is. The Society Consulting team has over 40 millennia worth of great data. They know what works and what doesn’t work.

Now let’s say that in this new, primitive society they have someone named Hoome. He’s a smart Scoutish man who believes it’s impossible to know what kind of society to build. It’s impossible to go from describing the world to prescribing what you should do within it.

I would argue he’s wrong. I would argue that yes—we do have a path to Ought. The path is simple:

We have a Human Goal, which is to increase happiness in society, andWe have science to provide the Is that tells us how to adjust our approach.

Using these two, we can absolutely determine a good path forward.

Also known as, what we “Ought” to do.

SummaryThe solution to the Ship of Theseus problem is to add an observer as context.The solution to the Is-Ought problem is to add a Human Purpose as context.That context is what collapses intangible ideas like “the same” or “should” into something useful for the people that matter. Namely, humanity.NotesThere are many paths to increasing happiness in this model, and we can decide which we want to use based on lots of criteria. This is why Sam called it a “Landscape” in his book. As he said, there are many peaks and valleys. His key point is that you can use science to map out that landscape.

In a previous post I talked about how security questionnaires are security theater. They were in 2018—and they still are—but pointing this out always raised the same challenge:

Fine, but we have to do something. What’s the alternative?

It’s a fair point, and I think we have an answer. I’m a bit allergic to 1.0 and 2.0 designations, but in this case I think we have a clear transition.

Ask yourself how much time wasted on security questionnaires for Solarwind, and how many of them did any good.

In short, Vendor Security 2.0 is the transition from external security checks to internal risk analysis.

Questionable value

For those of you who have been playing the security questionnaire game for multiple years, ask yourselves how many Solarwinds-type compromises, or data breaches from popped vendors were:

Caught by a security questionnaire process, ANDStopped from doing business with the company because of the security questionnaire

???

Not many, right? They either weren’t caught by the process, or the business ignored the findings because they wanted to use that product or service.

I have been part of hundreds—possibly even thousands—of vendor security reviews in my 20 years in security, and I can think of very few examples of where the business really wanted to use a particular vendor and security shot it down.

I learned about it via a lucky interview with someone honest.

Not only that, but I’ve been onsite doing an in-depth security assessment while big-four teams were completing their reviews with thumbs-up and smiles everywhere. SOC2 no problem! Security questionnaires passed with flying colors! But at week two I found a critical issue that directly affected customer data.

Unless your (business) partner overrides you.

The best use of a security questionnaire is to ask the company if they’re an axe murderer. If they say yes, don’t hire them to babysit.

If we only used vendors that have never been hacked, we’d be writing our own operating systems, CMS software, and 100 other pieces of core technology.

As it turns out, if everyone you’re talking to is hiding the truth, you can easily do a full onsite security assessment and not find much of anything. If they can hide things that well while you’re onsite with decent access, imagine what they can do with a questionnaire.

Mob mentality

Then there are the online reputation services too often function like the mob.

Pay us so we can protect you.

Protect me from who?

Super gross.

From someone telling all of our customers how insecure you are.

(looks around)

Who would do that?

(smiling)

I’d mention names but don’t want to get whacked.

Us.

Moving on

Right, so we know what doesn’t work. Let’s add more detail to what we are proposing with Vendor Risk 2.0.

1. Assume compromiseAssume your vendors are compromised.

It can be more than two, but don’t let it expand.

Massively slim down your questionnaire to two basic questions: when was the last time you were breached (what happened, why, and how did you adjust), and do you have security leadership and a security program.Focus mostly on when they admit they’re an axe murderer. So if they say, “Actually, we don’t really have a security program and we’re kind of struggling right now…”, consider telling the business that this is a serious problem. Optionally: maybe find a way to work with them later because they’re clearly honest.In short, give really bad responses lots of weight, and give good responses very little.2. Perform Risk Assessment AnalysisPerform Vendor Risk Assessments on all key vendors that have software running in your organization or that have your data.

“Key” being a function of penetration into your business infrastructure and data, combined with the amount of impact a breach would have.

Vendor Risk Assessments should function much like Threat Models, in the sense that they’re looking for an understanding of 1) the integration of that vendor into your business, 2) what could go wrong if/when they were/are compromised, and 3) what you can do to mitigate that risk.Transition your Third-Party Risk Team’s efforts from questionnaires to doing these assessments, with most of the emphasis on #3.For the assessments themselves, focus on improving visibility into the risk, adding controls to reduce said risk, and also on ways to reduce the scope, penetration, and access that the vendor tool has to minimum levels—thus reducing impact when a breach occurs.

After Solarwinds this conversation will be a lot eaiser.

3. Risk VisibilityEnsure the business understands that vendors are tradeoffs between easier/faster functionality vs. security.Use the Vendor Risk Analysis process to educate the company, including senior leadership, on the real-world risk posed by all vendors in use.SummaryQuestionnaires are largely Security Theater because it’s nearly impossible to assess a company’s security risk from the outside.If the business needs a given tool, they’ll likely force the company to use it despite the risk.Given these truths, the most realistic path for protecting ourselves from vendors is heavy investment in Risk Visibility, Risk Reduction, and Risk Communication/Acceptance.NotesThanks to Orianda G. for talking through this with me and helping validate from another vendor security veteran that my views on this stuff aren’t completely off-base.Thanks to Jesper Johanssen for my new favorite three-step description of threat modeling.When people talk about 2.0 they’ll inevitably be asked about what 3.0 might look like. The short answer is that I don’t know. But I imagine it’ll be something like a combination of SBOMs, combined with risk assessments, combined with dependency and connectivity mapping. In other words, we use these software packages, with this data, in these processes, and given that they’re deemed to be X secure in Y configuration, we currently have Z amount of risk. Ok…that might be 4.0.

This Content Is For Paying Members

Subscribe

Already a paying member? Login