Daniel Miessler's Blog, page 58

The Lawfare Podcast is one of my few staples, and I just listened to another great episode on espionage against US buisnesses.

My main takeaway was this:

Foreign governments—and especially China—are pivoting from targeting other governments for their secrets, to instead going after private companies because that’s where most of the intellectual property is.

The guests, Bill Priestap and Holden Triplett, give tons of great background and examples for this claim, and they go onto basically say that this is just a new reality—kind of like terrorism.

They also make another interesting point, which is that the US is behind in recognizing that economic power is national power, and in their willingness to use the intelligence apparatus to further those economic goals.

In other words, other governments just plainly state to themselves that the future of the country lies in its economic strength, and thus it must use its intelligence capabilities to make itself more powerful economically.

Which often means stealing IP from both friend and foe.

The US has been reluctant to use its intelligence capabilities in this way. The FBI, for example, might tell a company that they’re being targeted by a foreign adversary, and how to protect themselves, but they’re not doing that to give that company an advantage in a global marketplace.

They’re doing it because that company is considered part of home base, and their mission is to protect home base.

I think this is a really interesting distinction, and I wonder how long it’ll take the US to “catch up” to how others are thinking about this.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

The Lawfare Podcast is one of my few staples, and I just listened to another great episode on espionage against US buisnesses.

My main takeaway was this:

Foreign governments—and especially China—are pivoting from targeting other governments for their secrets, to instead going after private companies because that’s where most of the intellectual property is.

The guests, Bill Priestap and Holden Triplett, give tons of great background and examples for this claim, and they go onto basically say that this is just a new reality—kind of like terrorism.

They also make another interesting point, which is that the US is behind in recognizing that economic power is national power, and in their willingness to use the intelligence apparatus to further those economic goals.

In other words, other governments just plainly state to themselves that the future of the country lies in its economic strength, and thus it must use its intelligence capabilities to make itself more powerful economically.

Which often means stealing IP from both friend and foe.

The US has been reluctant to use its intelligence capabilities in this way. The FBI, for example, might tell a company that they’re being targeted by a foreign adversary, and how to protect themselves, but they’re not doing that to give that company an advantage in a global marketplace.

They’re doing it because that company is considered part of home base, and their mission is to protect home base.

I think this is a really interesting distinction, and I wonder how long it’ll take the US to “catch up” to how others are thinking about this.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I’m a huge fan of both Reddit and RSS, but it’s not super clear how they work together.

The old version of Reddit used to show all your RSS options very clearly, as you see below, but that functionality is now hidden in the new interface.

How old reddit used to show RSS feeds

I think they want you on the site, not in a news reader.

But while those options aren’t shown anymore, the RSS feeds still mostly work. So here’s a list of them in one place.

Reddit URL schemes

The most basic trick (that pretty much works everywhere) is to simply add .rss to the end of any URL.

reddit.com/r/technology/.rss

Using that basic scheme, you can actually do quite a bit using Reddit’s own built-in URLs.

These work in a browser as well, not just via RSS.

/r/technology/top

/r/technology/hot

/r/technology/new

/r/technology/rising

/r/technology/controversial

A little-known one is that you can filter by domain.

reddit.com/ycombinator.com/.rss

Reddit filtering options

You can filter by the number of results you want to get back.

// Limit the results to 25

/r/technology?limit=25

You can ask for results before or after a certain post.

// Useful if you need to pull a lot of results

/r/technology?after=t3_15bfi0

Putting it all together

And—most importantly—you can combine these options.

// Get the top 50 results from the /r/netsec sub, as RSS

reddit.com/r/netsec/top/.rss?limit=50

// Get the fastest rising results from the /r/technology sub, as RSS

reddit.com/r/technology/rising/.rss

Don’t do this unless you hate people, or plan to.

// Get the top 10 most controversial posts in the /r/philosophy sub, as RSS

reddit.com/r/philosophy/controversial...

Summary

So that’s it.

You can add .rss to the end of any Reddit URL and get the RSS feed for it.
You can view any sub using many different views, including top, rising, most controversial, etc.
You can then filter those further with limits of how many results you get.
You can combine these options to build your own URLs.


Example URLs


https://www.reddit.com/r/netsec/top/.rss?limit=50
https://www.reddit.com/r/technology/top/.rss?limit=100
https://www.reddit.com/r/philosophy/controversial/.rss?limit=10


Notes


You can still get a list of your own private feeds here, but I don’t know how long that will last since they hid it in the new interface.
You can combine before, after, and count to do pagination.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I spend my time reading 3-6 books a month on security, technology, and society—and thinking about what might be coming next. Every Monday I send out a list of the best content I’ve found in the last week to around 40,000 people. It’ll save you tons of time.

MY NEW ESSAYS



Introducing Amazon Curate — I wrote up a fake product release for a product that I wish Amazon would make. A few friends at Amazon have already reached out and said they might actually make it. More Fake Product Release



SECURITY



Another Tesla (a Model X) has been hacked using an attack against its key fob, and Tesla has released new firmware to address the issue. More



The US Senate has passed an IoT Security bill that would require NIST to create new security requirements for IoT devices used by the Federal government. More



Someone assassinated Iran’s top nuclear scientist in a suburb of Tehran. He was ambushed in a car on a country road outside Tehran. Iran blames Israel, which wouldn’t surprise anyone. More



Tyndall Air Force Base in Florida is being guarded by robotic dog-like creatures that patrol the area around the base and then go back into their kennels for a recharge. They feed 3D visual data back to the ops center as they patrol. More



Vulnerabilities: 

Drupal has released updates for multiple critical vulnerabilities that can lead to complete system takeover. More
TikTok has awarded $4,000 to a researcher for discovering an XSS and CSRF vulnerability allowing him to reset passwords on certain accounts. More

Ransomware:

Baltimore schools have been stopped by ransomware again. They’re saying it could take weeks to get everything back online, but they’re planning to start back classes within days. More

TECHNOLOGY



Tesla is now worth half a trillion dollars, which is weird. More



Long-haul trucking companies in the US are increasingly installing cameras and AI in trucks to monitor drivers’ behavior. They can detect things like how often people pick up their phones, how often they get distracted, and when they appear fatigued. More



Microsoft has filed some patents around scoring meetings based on body language and facial expressions. More



Salesforce’s Einstein platform is now serving over 80 billion predictions per day, which include things like when to engage a sales lead, predicting the chances of an invoice being paid, and what products to recommend to a given customer. More



Microsoft’s Office 365 has new functionality that lets your boss monitor how much email and video conferencing you do, and a lot of people are nonplussed. The functionality isn’t on by default though, and there seem to be some benign use-cases, but it’s definitely noteworthy. More



Salesforce is looking to buy Slack. More



Companies:

ClosedLoop.ai just raised a $11 million dollar Series A to predict health outcomes. They’re looking to answer questions like, “Who is most likely to X?” More
Splunk> has purchased Flowmill, a network observability company that focuses on network performance issues in the cloud. More

HUMANS



Companies are starting to use automation and games to do interviews without interviewers—especially for high-turnover jobs like fast food and warehouse workers. Some are being asked to record their answers to questions, others are being asked to play games that test their skills and personalities. More



Amazon is becoming an absolute juggernaut. They’ve hired 427,300 employees in the last 10 months and now have over 1.2 million employees. And they’re still hiring massively right now. More



Amazon is giving its front-line workers $500 million dollars in one-time bonuses. Full-time operations staff in the United States who are employed by Amazon from Dec. 1 to Dec. 31 will receive a bonus of $300, while those in part-time roles will get $150. More



IDEAS, TRENDS, & ANALYSIS



Welcome to the New Middle Ages More



The CDC is predicting US COVID deaths could reach 321,000 by mid-December. More



1 in 6 US families with children don’t have enough to eat this holiday season. More



UPDATES



Matt in the UL Community just recommended How Spies Think, by David Omand, and that’s now in my queue. More



Currently reading:

Atlas Shrugged
Anna Karenina

I was reticent to read Atlas Shrugged since I’ve avoided it for multiple decades, but after hearing an Objectivist Philosophy expert on Lex Fridman’s podcast I was intrigued enough to have a go. It’s actually spawning some interesting thoughts around a unified, centrist political theory that I’ve been working on. So I’m excited about it, and actually enjoying it so far (about 1/10 of the way through).



DISCOVERY  



Cobalt Strike Beacon Analysis from the SANS ISC More



Technical Phone Screen Superforecasters More



Blogging vs. Blog Setups More



Advice for Newsletter-ers More



The Queen’s Gambit is now the most-watched Scripted Limited series in Netflix history. More



The Game is a game where you have to avoid thinking about the game itself. More



Writing Well More



RECOMMENDATIONS



Hire People Who Give a Shit — An interesting article on how to find people who care deeply about your mission and their work. Includes a good list of questions at the end. More



5-Second Feedback — A 4-step process to giving complete feedback to someone on your team. More



APHORISMS



“The calamity of the information age is that the toxicity of data increases much faster than its benefits.”



~ Nassim Taleb

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Click for full size

This isn’t a real product, but I wish it were.

Announcing Amazon Curate

There are thousands or even millions of creators putting out great content that nobody is seeing.

Amazon Curate is a new product that combines content discovery with content personalization.

Companies have solved the problems of, “show me the best tcpdump tutorial”, or “show me the links that people are sharing the most”, but they’ve not solved the problem of, “show me new writers, creators, and other artists that I’ve never heard of but would love.”

We built two systems to make this possible:

Survey — a new high speed internet crawling platform optimized for speed and niche coverage discovery
Surface — a new customization engine based on machine analysis and feature extraction of content discovered by Survey

These two systems are then integrated with existing RSS readers, starting with a partnership with Feedly. Once Amazon Curate integration is enabled, Feedly includes a new Surface menu, which brings in new RSS feeds for topics that you are interested in, e.g., Security, Woodworking, or Investing.

This allows people—for the first time—to be exposed to great unknown creators that share similar foci, and it will allow those creators to get noticed by more people.

Amazon Curate introduces the other 99% of creators to the internet.

Integrations with additional RSS readers are forthcoming in the coming weeks.

That’s the product I’ve wanted for over a decade.

Discovery is a huge issue.

There’s an argument that most of the good creators are already being seen because Google, Social Media, and word of mouth are finding the best stuff out there. I don’t buy that argument.

I have seen far too many examples of phenomenal content that sits on the internet, gets crawled by Google, and yet has no following.

The author doesn’t know how to, or care to, do self-promotion across various channels, so they either continue to write for nobody or they give up because nobody appreciates what they do.

But what if there was a “great contentness” rating that could be assigned by AI? I’m not an expert in the field, but it seems that we’re getting pretty close to being able to use Unsupervised Learning on a given piece of content, find its various peculiarities, and then have a platform take user-generated ratings for labels.

Then, when new content is discovered, it could go through the same process and get matched up with the preferences of a particular user.

This would be like combining Google, NETFLIX, and TikTok all into one engine.

I want it.

Notes


Maybe more TikTok than NETFLIX because it’d be matching your particular tastes rather than looking at what similar people liked.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

You’ve reached a piece of member-only content.

Subscribe

If you’re already a subscriber, please login here.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

People talk a lot about prolonging their lives through medicine or technology, but most ignore ways we can get more from the time we have.

You can add time by noticing time.

And I don’t mean “get more” in the shallow, self-help kind of way. I mean ways to practically increase and enhance the experiences we enjoy while on this planet.

For me there are two main ways of doing this:

Reading
Meditation

Video Games will do this as well, once they’re good enough.

Reading expands the number of experiences one can have. This is especially true of fiction and biographies. They allow us to experience lives as if we lived them. And not just other lives like ours, but vastly different lives.

Especially biographies from different points in history.

Reading lots of good fiction, and many biographies, broadens our life experiences and our wisdom to include that of dozens—or even hundreds—of other existences.

Experiencing More and Appreciating More

So reading offers a broadening of experience.

Meditation is the Yang to reading’s Yin, as it deepens experience.

Specifically Vipassana meditation because it focuses on noticing the current moment.

So while reading gives you more experiences—and of different types—meditation gives you the full value of the time you actually have.

Someone could spend 90 years on the planet without paying attention to anything, and effectively enjoy a tenth of that. While someone wiser could only live to 40 yet enjoy it three times as much.

It’s mindfulness that matters more than meditation here.

Ideally we would combine the two—experiencing more through reading, and appreciating every experience through a practice of mindfulness.

Notes


Sam Harris said something brilliant about this in one of his Waking Up sessions, where he offered that it wasn’t time that was the currency of our lives, but attention.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

There’s something wrong with how we’re thinking about the problems of content moderation and biased AI.

We’re telling ourselves a pleasant childhood fantasy—that we humans are fine, it’s the tools that are the problem! It’s this darn AI that’s biased. It’s the social media that’s hateful.

Nope, that’s too easy. Too childish. Do they magnify negativity? Absolutely. Do they exacerbate innate weaknesses? Sure.

But all these tools have really done is revealed what was already there. They’ve shown a black light on the serial killer porn shops that are the human psyche.

An anti-woman group that would have been 19 angry men in some two-horse town in 1985 becomes a Facebook group with 40,000 people that start harassing women online
A Black family is denied a home loan because the AI looks at the applicant’s face and determines they are high risk
A child predator taps into a massive social network that shares how to target kids without getting caught

This isn’t a tech problem. This is tech revealing a human problem.

The anti-woman group would spread his filth to the United Federation of Planets if he could. The AI said the man was a bad loan because of 150 years of mistreatment of his people. And the only way to stop bad people from congregating is to stop people from congregating.

All this tech has done is evolve to such a high level of efficiency that it’s showing us exactly who we are. The better it gets, the better a mirror it becomes.

In short, the problem isn’t that we have good mirrors, the problem is that we’re ugly.

So when we start talking about fixing biased AI, and fixing social networks, we need to understand exactly what we mean.

Do we hate these mirrors we’ve built, or do we hate what we see when we look in them? We shouldn’t confuse the two.

It could be that an AI will give someone named Daniel Silverman a loan, with very little additional information—based on its training data—and this might actually be predictive of him paying it back.

Is that racist? I think so—it depends on how you define it. But is the AI biased? I’m not so sure. There’s a difference between AI being biased and an AI telling us something we wish were not true.

If an AI accurately predicts the loan repayment rates for a rich Asian man vs. a poor white man, taking into account a ton of other factors like parental income, level of education, work history, etc., and the algorithm says the Asian guy has a 97% chance of paying the loan back, and the white guy from West Virginia has a 27% chance of repayment, is that racist?

I mean, it’s racist in the sense that it favored one race vs. another in this case. And it probably would many more times. But if the algorithm is good at what it does, and uses lots of data, it’s getting those good results by closely matching reality in its predictions.

It’s the reality that’s the problem, not the algorithm’s ability to describe that reality.

Again, mirror vs. face.

And it’s the same for hate on social media, or in instant messages, or in peoples’ brains. Those mediums simply represent various levels of hiding what’s already there.

The hatred exists in people’s brains. It’s existed in private conversation for thousands of years. And it is now being revealed and magnified like never before due to technology.

I know there’s an analog to weaponry here. So am I arguing that, “Guns aren’t the problem, people are the problem!”? Yes and no.

I support both gun ownership and gun control. And again, I break that into two separate problems, fixing broken humans and broken societies, and limiting the damage that those things do when they go bad.

It’s the same with AI and social media. The core of the problem is the societies we’ve built, but we should also be willing to take steps to limit damage. And if that means controlling the power of the weaponry (AI and Social Media), then so be it.

But we must not confuse the mirror and the face, the weapon and the sickness, the hatred and the microphone.

Notes


I am well aware that not all so-called biased AI is actually accurately representing reality in a way that’s uncomfortable. There are countless implementations that take sloppy, negligent shortcuts that produce horribly racist results, often to the pleasure of the operator because it reinforces their inherent racism using “the wisdom of computers”. It’s super gross.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I had an idea for a comedy bit a while back, which I guess I’ll capture here. It goes something like this.

This is more humor than political, but if you like Trump you might want to look away.

—

(imagine a comedy club and a guy onstage)

I think Trump is triggering everyone accidentally. Like he’s even bad at that.

I think he’s such a psychopath that he’d be a horrible actual villain.

(uncomfortable laughs)

The guy has no actual beliefs! Or at least he can’t remember them from one meeting to another. He only cares about himself.

Like he’d be a horrible white supremacist. Like the Klan would come up to him and be like,

KLAN: Hey, you look like you’re signaling to us with all the white stuff, so you’re in right? (wink, wink)

And Trump would be like,

TRUMP: Oh yeah, 100%, all the whites, I’ve been saying that for years. Whites are the best!

And then when they meet in a week at the next meeting Trump shows up again and he brings Kanye.

(laughing)

And the racist guy pulls him aside and is like,

KLAN: Hey man, what the actual fuck? You bring a fucking Black guy to a Klan rally? What the fuck is wrong with you?

And without missing a breath, Trump says:

TRUMP: Yeah, but so look, everyone loves me, whites, Blacks, Kanye, everyone. Kanye’s very popular with whites you know, and he’s got a new album coming out. You guys should go to the show. I can get you tickets. Kanye’s a friend of mine. Going way back, before he was big. He’s a huge fan of mine.

Like he’s just fucking oblivious.

(laughing)

He’d be a horrible Satanist too.

SATANIST LEADER: What the fuck, you brought a bunch of Catholics to our animal ritual?

Trump smiling,

TRUMP: Look we all are into animals. I’ve been giving to animal events way before most people. Hey Christopher (pointing and calling over a guy in a priest outfit), come over here and meet my friend who does the animal stuff!

—

Anyway, a comedy idea explaining what I learned from the Bolton and Woodward books: Trump doesn’t care one bit about anything outside himself. Not religion, not friendship, not America.

They’re all just party themes he can employ to make himself richer, more popular, or both.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Daniel Miessler is a recognized cybersecurity expert and writer with 20 years in Information Security. His experience ranges from technical assessment and implementation, to executive level advisory services consulting, to building and running industry-leading security programs.

His 20 years of experience in security ranges from the vibrant startup ecosystem in his birthplace of Silicon Valley, to working with many of the top 100 worldwide companies. He frequently gives talks and participates in panels around the world, and his work and commentary have been featured in dozens of the world’s leading publications.

LinkedIn

Relevant presence data

Daniel dislikes speaking about himself in the third person.

Web Traffic for January 2020

✓

Twitter: @danielmiessler, ~101K followers, verified by Twitter in 2016.

Website: danielmiessler.com, active since 1999, over 2,000 pieces, monthly visitors ~450K, one of the highest rated personal sites in the world—with a Global Alexa rank around 90,000, and a US Alexa rank around 30,000.

Podcast: The Unsupervised Learning podcast has been going since 2015, and has been rated as one of the top security podcasts for the last several years. The podcast is downloaded approximately 25,000 times a month according to Omnystudio.

The podcast and newsletter are two parts of the same show.

Newsletter: The Unsupervised Learning newsletter has been running since 2015, and is widely popular within the security and tech industry. It reaches approximately 30,000 subscribers and has open and clickrates far above the industry average (~30%/~11% for standard subscribers, and ~75%/50% for members), as measured by MailChimp.
Speaking: 2018 Keynote Speaker at the Rocky Mountain Information Security Conference (RMISC), 2016-2018 AppSec California OWASP Conference, DEFCON 23 (IoT Village), BlackHat 2015 (Arsenal), OWASP AppSec USA, RSA USA (2015, 2016, and 2017), many, many more

Also listed on a list of people who gag when talking about themselves being on lists.

Recognition: Listed among Top 50 InfoSec influencers by DigitalGuardian in 2018, listed as the top InfoSec thought leader in this InfoSec Institute list, listed as the top InfoSec influencer on Onalytica’s 2016 InfoSec Influencers List.
Projects: 2015: Launched the Unsupervised Learning podcast and newsletter, which has around 20,000 followers, 2018: Founder and CEO of the HELIOS company, in the Attack Surface Monitoring space, Creator and leader of the OWASP IoT Security Project, Creator and leader of the SecLists Project, Consistent blogger at danielmiessler.com for nearly 20 years, Coverage of tech conferences often highly commented on by other top industry players, Active coder on GitHub, with over 1K followers, Other projects.


Notes


I strongly dislike speaking of myself and my work in this way, and I used to have this page hidden away just for responding to media inquiries. But with the recent changes to Google’s algorithms (circa September 2018) that focus on fighting fake news and establishing credibility, it’s now become necessary to demonstrate clearly who you are and why someone should listen to you with everything you write. So my apologies for this reading like a case study in narcissism.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.