Daniel Miessler's Blog, page 52

If you know anything about internet security then you likely spend a lot of your time helping people improve their password hygiene.

People like moving up rankings, so let’s use that!

This post is an attempt to create an easy-to-use, visual model to help you have that conversation.

How to use this model

All models are broken, but some are useful!

The idea here is for someone in the security community—or really any security-savvy user—to use this visual to help someone with poor password hygiene.

Here are a couple of ways you can do that.

Any improvement is good. Even one step matters.

Show Them Where They Are — The first way to use this model is to simply ask the user about their current behavior and show them where that ranks within these seven ranks. If you show them they’re down at rank 1 or 2, the combination of seeing how low they are in the chart and the color might convey some measure of concern.Show Them How to Move — Next, show them the various ways they can improve. As we discussed in this Twitter thread, keep in mind that you get the most benefit by moving from 4 and below to rank 5—although they still need to do the previous steps. The next big jump comes when moving from rank 7 or below to rank 8.

Where one “should” be in this hierarchy depends on your threat model.

SummaryVisual maturity models can sometimes help people with their desire to improve.The highest security improvement one can get is by moving from any rank 4 and below—to Rank 5 (SMS-based 2FA).The second-best security improvement is moving from rank 5, 6, or 7—to Rank 8 (Passwordless).Try not to skip steps, i.e., it’s best to make the move to unique, quality passwords stored in a manager before you add 2FA.

I hope this helps you!

NotesMar 30, 2021 — After more thinking and conversation with many in the security community, I reverted the numbering back to low-to-high instead of high-to-low. This is mostly because pretty much every other similar maturity model does the same. In other words, if there are 5 levels, level 5 is usually the best. Plus, having something be #1 implies that it can’t be improved, so if something better emerges it requires that the entire numbering system be reset rather than simply adding a new tier. Examples: CMMI, ISO, etc. Thanks to Ian L. for best making this point.Mar 30, 2021 — Another point to mention about “passwordless” is that if it were truly passwordless throughout the process it would likely be weaker than 2FA in most cases, but what we really mean by passwordless here is “from the perspective of the user at the moment of authenticating to something during the course of a day”. In other words, they’ve already fully authenticated to their OS, etc. to be able to use WebAuthN (for example) in the first place, so it’s not truly passwordless in most cases. But it is for the user experience at the time of a standard, daily authentication activity.Mar 29, 2021 — After much gnashing of teeth on Twitter, and many nice requests as well, I’ve added a higher tier for passwordless auth using technologies like WebAuthN and FIDO2. I also slightly tweaked the names of some of the boxes to make them shorter and clearer, and fixed an issue with Yubikey incorrectly being in Rank 2.Mar 26, 2021 — The response to this has been extraordinary, and a few people have already showed me translations into other languages! Evidently I was right in assuming that most security people have this conversation constantly, and appreciated having some sort of reference.Mar 25, 2021 — There are absolutely tangible differences between different “token” types. OTP is not the same as U2F is not the same as something that’s FIDO2 compliant. But for regular users I think it’s ok to combine them all into one that lives at the top of the model.Mar 24, 2021 — Thanks to Andrew R. Jamieson for making the suggestion to show what each rank is vulnerable to.Mar 24, 2021 — Someone mentioned that there are higher ranks of authentication out there, which I agree with, but this is specifically for everyday users.Mar 24, 2021 — We can pronounce the acronym as “Chasm”, as in, “Lets see how deep into the chasm you are…” 🙂Mar 25, 2021 — At the suggestion of someone on Twitter, I decided to invert the numeric scores for the levels, so 7 is worst and 1 is the best. People were saying progress makes more sense if it’s moving toward #1, and I think I agree.I know there’s debate about this, but even with all the recent (Spring 2021) attacks on SMS, I still consider SMS-based 2FA superior to password alone. My reasoning is simply that it requires more work for the attacker in most situations and prevents the most primitive form of credential stuffing—which is the most common type of authentication attack against accounts.Thanks to Troy Hunt, Anton Chuvakin, and Tim Dierks for spawning the idea for this.

This post is an attempt to create an easy-to-use security model for the average internet user. Basically, how secure is someone’s current behavior with respect to passwords and authentication, and how can they improve?

People like moving up rankings, so let’s use that!

How to use this model

The idea here is for someone in the security community—or really any security-savvy user—to use this visual to help someone with poor password hygiene.

Here are a couple of ways you can do that.

Any improvement is good. Even one step matters.

Show Them Where They Are — The first way to use this model is to simply ask the user about their current behavior and show them where that ranks within these seven levels. If you show them they’re down at level 1 or 2, the combination of seeing how low they are in the chart and the color might convey some measure of concern.Show Them How to Move — Next, show them the various ways they can improve. As we discussed in this Twitter thread, keep in mind that you get the most benefit by moving from 4 and below to level 5, although they still need to do the previous steps. The next big jump comes when moving from 6 or below to 7.

Where one “should” be in this hierarchy depends on your threat model.

SummaryVisual maturity models can sometimes help people with their desire to improve.The highest security improvement one can get is by moving from any Level 4 and below—to Level 5 (SMS-based 2FA).The second-best security improvement is moving from Level 5 or 6—to Level 7 (Token-based 2FA).Try not to skip steps, i.e., it’s best to make the move to unique, quality passwords stored in a manager before you add 2FA.NotesThanks to Troy Hunt, Anton Chuvakin, and Tim Dierks for spawning the idea for this.Mar 24, 2021 — Thanks to Andrew R. Jamieson for making the suggestion to show what each level is vulnerable to.Mar 24, 2021 — Someone mentioned that there are higher levels of authentication out there, which I agree with, but this is specifically for everyday users.Mar 24, 2021 — We can pronounce the acronym as “Chasm”, as in, “Lets see how deep into the chasm you are…” 🙂Related posts:The Real Internet of Things: Details and Examples APIs are 2FA’s Achilles Heel Machine Learning is the New Statistics

SECURITY NEWSThe Director of US National Intelligence released his report looking at influences in the 2020 election. It found that Putin directly authorized influence operations designed to keep Trump in office, and that both Russia and Iran attempted to undermine overall confidence in the election process. The report also said China considered running similar operations but decided against it. More

Finland says the hack against their Parliament was from Chinese APT31. More

The FCC is looking to strip three Chinese telecom firms of their US operating licenses for failing to adequately explain their ties to the Chinese government. This comes as follow-up to a US policy of evaluating all Chinese companies for ties to government due to their new policy of merging civilian and military efforts. More

The FBI says over $4.2 billion dollars were lost to cybercrime in 2020. More

DuckDuckGo called out Google a few months back to show what all data they were collecting in Chrome and other apps. Google finally released their report on it, and the amount of data seems pretty extensive. Good on Google for publishing it though. More

The critical F5 BIG-IP flaw from last week is now being actively scanned for and exploited. More

A US-based surveillance contractor called Ulysses says it can identify the current location of any vehicle in most countries other than Cuba and North Korea. The ability is evidently tied to the data capture capabilities of another company called Otonomo, out of Israel, which collects telemetry for 16 OEM car companies, over 40 million vehicles, and sees 4.3 billion data points per day. My question is how easily this data can be tied to individuals. More

Security researcher David Buchanan found a way to hide MP3 and ZIP files inside of PNG images on Twitter using steganography. More

Vulnerabilities: There’s a critical RCE in MyBB Forum. More Flaws in the WP Super Cache and Elementor WordPress Plugins are affecting over 7 million websites. More Cisco has released updates for an RCE in its Small Business routers. MoreCompanies: SecurityScorecard has raised a $180 million dollar Series E. More Vulcan Cyber raises a $21 million Series B for its vulnerability remediation platform. More Coalition, a cybersecurity insurance company, raises $175 million at a $1.7b billion dollar valuation. More HD Moore has raised $5 million in funding for his Rumble asset management software. More
TECHNOLOGY NEWSChinese tech companies are getting pressured by government regulators, and it’s causing them to lose value in the market. It appears the Chinese government is growing concerned about the power these companies wield, so they’re exerting control via anti-monopoly and competition regulations. More

Nokia is cutting 10,000 jobs worldwide. More

Companies: Squarespace has raised $300 million at a $10 billion dollar valuation.  Torch.ai raises $30 million to consume data from any source and use AI to provide data insights. More
HUMAN NEWSA new study identifies the loss of a substance in the brain called myelin as a major factor for age-related cognitive decline. Myelin has been described as fatty insulation that protects the wiring of the brain. More

Trust in US media has hit a new low, with fewer than half of Americans trusting traditional media. More Visual

Half of US men who identify as Republican say they have no plans to get the COVID vaccine. More

A record 63% of Americans say China is a critical threat to the US. More


CONTENT, IDEAS & ANALYSISLook and Feel Matters More Than Ever For Content Creators — A new members-only post on my thoughts around design and experience becoming a primary filter for consumers. More

More on the COVID Lab-leak Theory— MIT Technology Review has an article out about how the lab-leak theory is refusing to die, and I think with good reason. The way I look at this is from a perspective of politics. Which narrative is extremely unpopular right now with mainstream media? A lab-leak theory that implicates China as a cause, that’s what. When there are significant numbers of experts saying something, and they’re being significantly squelched, I tend to amplify their likelihood of being right in my own mind. This doesn’t mean they are right. It just means they’re more likely to be right than is implied by their theory’s level of visibility. The other reason I’m willing to entertain this option is that similar things have happened many times before, in many countries, including the US. Again, I still feel very agnostic about the situation. It would not surprise me at all if we learn later that this was completely natural. But it shouldn’t surprise you either if it turns out to have come from a lab. Even if it did, this wouldn’t be a reason to hate China, or, obviously Chinese people. Again, this has happened many times in the US as well. It’s a problem that needs to be addressed everywhere this research is done. More
 

NOTESI’m super excited to be interviewing Amir Majidimehr of Audio Science Review for the show in a week or so. If you have any audiophile questions, please let me know! We’re going to be talking about the rising battle between old-school “Subjectivist” audiophiles and Amir’s Objectivists, who think wine-like tasting notes without measurements is a waste of time. I’m preparing my questions this week and it’s going to be fantastic. More

I am currently reading my friend John Japuntich’s book, Atropos, which just released on Audible. Love the setup so far. More 

I finished Artificial Intelligence: A Guide for Thinking Humans. Quite a good summary of where the science has been and where it’s going. More

Looking to read 2034: A Novel of the Next World War next. More

This month’s UL Bookclub Book is We Are Legion (We Are Bob), which I am re-reading before we convene at the end of the month. Come Join Us!


DISCOVERY  OURA Ring — I’ve tried a lot of wearables in my time, and other than my watch I’ve never stuck with one for more than a couple of weeks. The OURA Ring is the exception. I wear it every day and every night, which gives me sleep tracking without having to wear my watch or install one of those silly bed covers. More

X-1 Ultralight Titanium Knife — This is my EDC knife, and I absolutely love it. It does two things for me: 1) minimalism, and 2) never needing sharpening because it uses utility razor blades. More

Malwarebytes — My go-to anti-malware tool on Windows and Mac. It’s what I recommend to everyone, and have been for nearly a decade. And as a show supporter, they’re offering us 25% off. [SUP] More

Superhuman — My preferred email client, despite it being $30/month. It’s a GUI-based email app that functions more like it’s a CLI, and everything they do is catered to professionals and optimizers. It’s the fastest and most satisfying email client I’ve ever used. More

Jut — Render Jupyter Notebooks in the terminal. More

InfoSec Income Questionnaire v2 (Responses) More

I really enjoyed this week’s episode of TL;DR Sec, especially the closing bit about defeating a grandmaster at chess. More

It’s time to stop using SMS for anything. More

12 years and 250 hours of exposures to get these images of the Milky Way More

Global Ping Times More


RECOMMENDATIONSRead more books instead of social media. If you pick the right books, you can get many times the information density per hour spent vs. reading blogs and other decent sources. You won’t regret it. If you want book recommendations you can follow my Notes section above, look at my Reading project, and/or just ping me directly. My Reading Project | Ping Me


APHORISMS
“When walking in a group of three, there is bound to be someone I can learn from: There will be good qualities that I can imitate, and reflect on bad qualities that I can correct in myself.”

~ Confucius Related posts:News & Analysis: No. 255 Unsupervised Learning: No. 161 News & Analysis | No. 267

You’ve reached a piece of member-only content.

Subscribe

If you’re already a subscriber, please login here.

Related posts:Why You Should Directly Support as Many News Sources as Possible Account Harvesting as the Most Serious IoT Vulnerability Why Creators Should Move to Direct Support Monetization

First, I’m fairly new to this whole audio thing, so what do I know. But I have spent a couple hundred hours studying the field over the last year, and I’ve done it with relatively non-biased eyes because I don’t have a dog in the fight.

Unjaded Observer Advantage

So you get the benefit of a perpetually curious super-nerd who hasn’t already spent tens of thousands of dollars on one solution or another. Which, as it turns out, counts for a lot.

First, what’s the debate? The debate is active vs. passive speakers. Or, to put it another way—the old-school way vs. the new and technology-powered way. A lot of it comes down to amplification and digital to audio conversion, and where and how those happen.

Many who get bit by the audio bug end up listening to systems instead of music.

With old-school systems going back decades, the DAC and the amps have been separate from the speakers. So the speaker is “passive” and must have power pushed into it to make sound. A newer (and rising in popularity) method of doing this is to have the amps and the DACs right in the speakers themselves, so all you need to do is power them and send them a digital signal.

The old-school audio community and wine communities have a lot in common.

Basically, the old-school types hate the new stuff. They think it’s a Satanic Dungheap. And they’re happy to tell you as much. They think it’s all about pairing this with that, swapping stuff in and out, trying different cables, and taking a wine connoisseur approach to things. Adjust, taste. Enjoy. Discuss. Etc.

What the traditional audiophiles won’t tell you is that they’re addicted to upgrades.

Which would be totally fine! But there’s a trap. The trap is that much of this audiophile community is over-indexed on the chase. For far too many of them, it’s not about the music. Or even the gear! It’s about changing the gear. It’s about looking for the next big upgrade to get that one extra squeeze of happiness from your system. Until you hear someone else’s system and you’re thrown into an existential crisis and you have to sell everything and start over from scratch.

Perpetual Optimization is a common proxy for meaning.

And don’t get me wrong, I’m actually super attracted to this. This pursuit game is a common one, especially for men in their 20’s and 50’s. The whole idea of optimizing a system is highly seductive. I get it. So I’m not hating here.

Now, enter the newcomers—many of which you can find over here at Audio Science Review. First, they tend to be Objectivists, meaning they value measurement and blind testing far more than the old-schoolers who often think their ears are the only measurement they need.

But most importantly for today’s topic, they believe in the active way of doing audio in a room. And I think they might have a point. Specifically, here are the two reasons I think active will win over time.

Pairings Are Everything: If you hang around in any audiophile forums or channels you’ll find everyone talking about how this amp pairs with this DAC and this speaker. Ad infinitum. It’s one of the primary topics, and this is precisely what active systems do so well because all three were designed to work perfectly together.The Room Matters More Than Most Know: At the very high-end of audio you start to realize that a $10,000 system in a great or treated space can sound like a $50,000 system. And a $200,000 system in a bad room can sound like a $50,000 system. The room matters. A lot. And these new active systems aren’t just shooting out air: they’re using the latest technology to control how the speakers emit sound, they’re using technology to adjust their sound with EQ, and—most importantly—they’re using measurement techniques to optimize the sound of the entire system within a given listening space.

These are huge. Again, in the traditional/passive world these account for a massive percentage of your results. If you have a bad pairing, or a bad room, you can end up with a crap system—even if you spent a lot of money.

Active systems technology will improve far faster than the quality of traditional components because the latter is so much older and more established.

With active systems that are perfectly paired, work synergistically together between the highs, mids, and lows, and adjust their sound based on the space they’re in, you’re getting an automatic boost in overall experience that people would kill for in the passive world. All because of new technology.

Putting love into anything can be fun.

This starts to look like a battle between the old Mustang 5.0 that’s had $50,000 of love put into it over the last 20 years, vs. the Tesla Model 3 that destroys it off the line every time.

Now that analogy only works for a specific measurement, which is acceleration off the line. But that happens to be one of the most traditionally coveted metrics in car-loving history. And my argument is that this passive vs. active situation is very similar when it comes to overall sound quality.

Get Off My Lawn™

You’ll still have people at the audio and car shows showing off their super expensive old-style stuff. And pouring tons of love into their equipment—which is wonderful—but they’re going to look the other way when some 20-year-old drives through in a Tesla looking for a race. Or showing off a full Genelec active system where the monitors, woofers, and subs all work together to do exactly the right thing at the right time for the room that they’re in.

That’s the audio equivalent of zero to sixty in 2.9 seconds.

And here’s the crazy part—the active world can keep getting better! There is plenty of room to grow in the fast-moving world of technology when you fully control the amps, the DACs, the speaker designs, and you have all that adjusting dynamically to the room.

Anyway, those are the two main reasons I think active will win:

Innately Optimized AMP/DAC/Speaker PairingsTechnology-based Room Optimization.Related posts:My Journey to Beginner Audiophile Chasing the Perfect Podcast Microphone Sound Everyday Threat Modeling

First, I’m fairly new to this whole audio thing, so what do I know. But I have spent a couple hundred hours studying the field over the last year, and I’ve done it with relatively non-biased eyes because I don’t have a dog in the fight.

So you get the benefit of a perpetually curious super-nerd who hasn’t already spent tens of thousands of dollars on one solution or another. Which, as it turns out, counts for a lot.

First, what’s the debate? The debate is active vs. passive speakers. Or, to put it another way—the old-school way vs. the new and technology-powered way. A lot of it comes down to amplification and digital to audio conversion, and where and how those happen.

With old-school systems going back decades, the DAC and the amps have been separate from the speakers. So the speaker is “passive” and must have power pushed into it to make sound. A newer (and rising in popularity) method of doing this is to have the amps and the DACs right in the speakers themselves, so all you need to do is power them and send them digital music.

Basically, the old-school types hate the new stuff. They think it’s a Satanic dungheap. And they’re happy to tell you as much. They think it’s all about pairing this with that, swapping stuff in and out, trying different cables, and taking a wine connoisseur approach to things. Adjust, taste. Enjoy. Discuss. Etc.

Which would be totally fine! But there’s a trap. The trap is that much of this audiophile community is over-indexed on the chase. For far too many of them, it’s not about the music. Or even the gear! It’s about changing the gear. It’s about looking for the next big upgrade to get that one extra squeeze of happiness from your system. Until you hear someone else’s system and you’re thrown into an existential crisis and you have to sell everything and start over from scratch.

And don’t get me wrong, I’m actually super attracted to this. This pursuit game is a common one. Especially for men in their 20’s and 50’s. The whole idea of optimizing a system is highly seductive. I get it. So I’m not hating here.

Now, enter the newcomers—many of which you can find over here at Audio Science Review. First, they tend to be Objectivists, meaning they value measurement and blind testing far more than the old-schoolers who often think their ears are the only measurement they need.

But most importantly for today’s topic, they believe in the active way of doing audio in a room. And I think they might have a point. Specifically, here are the two reasons I think active will win over time.

Pairings Are Everything: If you hang around in any audiophile forums or channels you’ll find everyone talking about how this amp pairs with this DAC and this speaker. Ad infinitum. It’s one of the primary topics, and this is precisely what active systems do so well because all three were designed to work perfectly together.The Room Matters More Than Most Know: At the very high-end of audio you start to realize that a $10,000 system in a great or treated space can sound like a $50,000 system. And a $200,000 system in a bad room can sound like a $50,000 system. The room matters. A lot. And these new active systems aren’t just shooting out air: they’re using the latest technology to control how the speakers emit sound, they’re using technology to adjust their sound with EQ, and—most importantly—they’re using measurement techniques to optimize the sound of the entire system within a given listening space.

These are huge. Again, in the traditional/passive world these account for a massive percentage of your results. If you have a bad pairing, or a bad room, you can end up with a crap system—even if you spent a lot of money.

With active systems that are perfectly paired, work synergistically together between the highs, mids, and lows, and adjust their sound based on the space they’re in, you’re getting an automatic boost in overall experience that people would kill for in the passive world.

All because of new technology.

So it really does start to look like a battle between the old Mustang 5.0 that’s had $50,000 of love put into it over the last 20 years, vs. the Tesla Model 3 that destroys it off the line every time.

Now that analogy only works for a specific measurement, which is acceleration off the line. But that happens to be one of the most traditionally coveted metrics in car-loving history. And my argument is that this passive vs. active situation is very similar when it comes to overall sound quality.

You’ll still have people at the audio and car shows showing off their super expensive old-style stuff. And pouring tons of love into their equipment—which is wonderful—but they’re going to look the other way when some 20-year-old drives through in a Tesla looking for a race. Or showing off a full Genelec active system where the monitors, woofers, and subs all work together to do exactly the right thing at the right time for the room that they’re in.

That’s the audio equivalent of zero to sixty in 2.9 seconds.

And here’s the crazy part—the active world can keep getting better! There is plenty of room to grow in the fast-moving world of technology when you fully control the amps, the DACs, the speaker designs, and you have all that adjusting dynamically to the room.

Anyway, those are the two main reasons I think active will win: Pairings and Room Optimization.

Related posts:My Journey to Beginner Audiophile Chasing the Perfect Podcast Microphone Sound How to Get NPR Level Clarity in Your Podcast

You’ve reached a piece of member-only content.

Subscribe

If you’re already a subscriber, please login here.

Related posts:Why I Switched from Patreon to Memberful Unsupervised Learning: No. 108 Unsupervised Learning: No. 102

When Steven Few is confused about something that means I probably am as well. He also writes blog posts for the same reason I do—which is to clarify confusion in his own mind.

I’ll also capture a few he didn’t talk about.

In this post about ordinals, he talks about how they’re often used incorrectly. But most important to me, he gives a number of definitions that I wanted to capture here.

Here are the main types of scales used in showing data on a chart.

Nominal Scale: Only the selection name matters, not any particular order. Example: “What’s your favorite streaming service? NETFLIX, Disney+, Hulu, or Other?”Ordinal Scale: Only the order matters, but you can’t tell the relative difference between the items. Example: “What is the most prestigious college according to Forbes? Answer: Harvard, Stanford, Princeton, etc.”

It’s often bad to assign quantitative values to items in a Likert Scale.

Using scales incorrectly can cause confusion in those consuming your data.

Interval Scale: Subdivides a range of quantitative values into equal intervals. Example: “0, 10, 20, 30, 40, 50”Likert Scale: Allows one to respond to a question with ordered responses, but where the answer is not quantitative. Example: “Do you drink Heavily, Moderately, Seldom, Never?”

A log is an exponent.

Charles Wheelan, Naked Statistics

Logarithmic Scale: A logarithmic scale is where each marker corresponds to an equal logarithmic distance. Example: “One, Ten, One Hundred, One Thousand, Ten Thousand, One Million”

In a Base 10 log scale, each number would be 10x the previous number.

Ratio Scale: An ordinal scale that also gives you quantitative data. Example: “Over 6 Feet, Less than 6 Feet but Over 5 Feet, Below 5 Feet”

The biggest takeaway for these is that using them incorrectly can totally change the meaning of the data you’re trying to display. Or, more accurately, it can lead you and others to draw conclusions that they shouldn’t.

Especially if there are big differences in the values.

If your quantitative scales are wrong, or if you assign numbers to Likert Scales, you can end up painting a picture that doesn’t match reality. But because your chart looks nice people will believe it.

It’s like Lying With Statistics, except on accident.

Learn the scale types so you can avoid this.

Related posts:The Real Internet of Things: Details and Examples Success in Life is Determined Most by Parental Culture, Not the Quality of Schools My Journey to Beginner Audiophile

Imagine you own McDonald’s, except every store location is corporate-owned instead of being franchises. Now imagine that minimum the same everywhere in the country, at $10/hour. There is a vendor who’s been pitching you for years to move to fully AI-based ordering. The software will listen to the order, cut out the background noise, account for different dialects…Related posts:Concise Argument and Evidence That Steven Pinker is Wrong About How Good Things Are Populism’s Big Mistake The Growing Shamefulness of Ignoring the Mental Health Crisis

I spend my time reading 3-6 books a month on security, technology, and society—and thinking about what might be coming next. Every Monday I send out a list of the best content I’ve found in the last week to around 40,000 people. It’ll save you tons of time.Related posts:News & Analysis | No. 263 Unsupervised Learning: No. 141 News & Analysis: No. 269