Daniel Miessler's Blog, page 59

After ignoring the chatter for months I finally decided to check out Robinhood.

I get the appeal.

It’s clear that the app is designed to appeal to younger users.

It’s a beautiful, snappy, and downright alive-feeling application that looks equally good on mobile or desktop. As you move around in it, the numbers for your investments and for the various stocks are in constant motion.

When you take an action, you see results instantly, and you’re constantly being shown information that you might want to take action on. Basically, the app is fun, the app is exciting, and yeah—the app is addicting.

Remind you of anything else?

That’s the problem.

The top movers section of the main page

The Top Movers section is a great example. When you see that some $2-dollar stock just jumped by over 70% it gives you the most dreaded of feelings—especially for a 20-something—FOMO.

That, combined with the entire interface being in constant flux creates this feeling that you’re missing out. It’s screaming at maximum volume:

Other people are making tons of money! Right this second! Using the same information that you are staring at right now! Do something!

Robinhood’s displays of the top lists of stocks that people like to see

The popular subreddit, /r/wallstreetbets, is a hilarious but cringy look at the n00b-investor scene, and it takes particular pleasure in making fun of Robinhood users.

One of the many Robinhood jokes on /r/wallstreetbets

They’re encouraging this through interface design, just like social media.

That’s all good fun, but encouraging novice investors to essentially become day traders is not a nice thing. While this might get more young people involved in investing, it might also sting them badly by prompting bad behavior.

Much of the best investing advice says to invest in solid stocks over the long-term, and to let it ride through the inevitable ups and downs—for years.

This all comes down to Decision Engineering, which Tristan Harris writes about extensively.

Robinhood’s focus on active engagement prods people to do the exact opposite of this, leading people to the often joked about, “Buying green and selling red”, which is the direct result of being exposed to FOMO-creating design cues.

In sum, Robinhood is dangerous because—like social media apps—it’s engineered to create a sense of urgency and action. Seasoned investors in their 30s, 40s, or 50s might be able to manage those urges, but plenty of people in that age group are addicted to social media for the same reasons. Young people with less life experience are even more vulnerable.

If you put a 20-something brain against a team of highly-paid AI specialists, it’s easy to pick the winner.

As Tristan Harris pointed out in The Social Dilemma within the context of social media, this is really your brain vs. the brains and AI weaponry of a massive team of AI specialists at Facebook, TikTok, etc.

And it’s no different at Robinhood. The creators of the app are trying to get people to trade on it. Period. That’s their goal. And they’re using all the same social media design trickery and AI to make it happen.

Younger people should be especially cautious.

So while I’m a huge fan of the Robinhood video game—yes, that’s how I see it—I don’t really recommend people use it for their main investing platform. If you’re trying to invest for the long-term it’s an interface that encourages the opposite. And if you’re a day trader it’s massively underpowered as a tool.

Robinhood to me, in its best possible light, is a way to get young people thinking about the future of their money. And that’s a good thing.

I just worry it’s like giving a Lamborghini and a 6-pack to a 17-year-old. Sure, it might teach them about seatbelts, but not in a good way.

Notes


While I think the creation of social-media-like urgency is clearly dangerous for novice investors, I think the app does have its upsides. It turns investing into a game that can appeal to younger people who usually think about retirement far too late. The question is whether the interest it generates is counteracted by the harm it causes.
This app really focuses the social media conversation because it’s another example of where you’re being presented something that appears overtly positive, but that ends up being toxic due to the incentives of the creators. That’s not a hit on Robinhood. It’s a hit on most companies that have growth and engagement as their primary mission, all else be damned.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

MY ESSAYS



Organizing Feedly by Tags More



Joe Rogan vs. Alex Jones More



SECURITY NEWS



Solid is an idea and company started by Tim Berners-Lee, the inventor of the world wide web. The idea is that you put all your data into a Solid Pod, and then you give granular access to that data to others. So rather than your data being owned and controlled by various corporations, you’d have it all yourself and you’d just give access to groups that provide you functionality. More



Jackson, Mississippi is running a pilot program allowing police to access the live feeds from citizens’ Ring security cameras. More



California’s Senator, Diane Feinstein, who was also Chair of the Senate Intelligence Committee, had a Chinese spy working for her for 20 years. He was evidently mostly a driver and a gofer, but he did serve as the liaison to the Chinese Consulate as well. The FBI concluded that nothing serious was leaked, but, seriously? More



Trump has banned Americans from investing in 31 different Chinese companies due to their ties to the Chinese military. More



There’s now a black market for fake COVID test results. Because of course there is. More



Microsoft is saying you should use app-based MFA, and not SMS. This is the debate that doesn’t die. My opinion is that you should use app-based for your highest-risk accounts, such as email and anything financial, and that SMS is probably good enough for most others. And SMS is still far better than password alone. More



The US’s latest tactic against Russian government APTs is trolling them via embarrassing cartoons. More



Samy Kamkar released new research called NAT Slipstreaming that allows one to bypass NAT for anyone visiting a website. Samy remains my favorite researcher, both personally and technically. More



Shadowmap did some great analysis on how a Chinese company called Zhenhua Data collects and organizes social media data on American targets. More My Essay on This



CISA says the recent US election was the most secure we’ve ever had. It’s good to hear we’ve made such significant gains in election security since 2016, but it seems clear now that the bigger threat is the influence of populations, not manipulation of the election technology itself. More



The Chinese hacking competition, the Tianfu Cup, yielded vulnerabilities in Chrome, ESXi, Windows, and many other platforms. More



Israeli agents assassinated Al Quaeda’s #2 guy along with his daughter via shooting from a motorcycle on the streets of Iran. More



Vulnerabilities: 

Google has released some updates to Chrome. More
Cisco has released updates for its IOS XR software for ASR 9000 series routers. More
There’s a new attack against the DNS, specifically around cache poisoning, called SAD. More More
WordPress has patched 10 security bugs as part of their recent 5.5.2 release. More

Breaches:

Luxotica has announced a data breach affecting 820K EyeMed and LensCrafter patients. More
Capcom disclosed a breach this week using Ragnar Locker ransomware. The attackers claimed to have stolen more than a terabyte worth of files. More
28 million Texas drivers have had their data stolen. It was leaked by an insurance software company called Vertafore, which left the data in an unsecured location. More

Companies:

Menlo security just raised a $100 million Series E to defeat phishing by only showing representations of content, not the actual thing. More
Eagle Eye is bringing video surveillance to the cloud, and just raised a $40 million Series E. More

TECHNOLOGY NEWS



Zoom is lifting its 40-minute limit on free meetings for Thanksgiving. More



Amazon is expanding its garage door delivery service to over 4,000 cities. It allows the Amazon driver to open your garage door and put your stuff inside, instead of leaving it on your doorstep. More



Amazon is releasing something called Care Hub, which allows people to care for their aging family members. It allows you to link accounts with elderly family members so you can see things like commands issued, lights turned on, etc. The elderly family member can also say, “Alexa call for help”, and it will contact the connected family member. More



Facebook has copied Snap’s vanishing message feature on Messenger and Instragram. More



Zoom’s stock took a massive hit last week when news was announced that we are getting closer to a COVID vaccine. More



AWS just launched a new service called Glue Databrew, which cleans and normalizes data—supposedly up to 80% faster. More



Companies:

Databricks has launched SQL Analytics. More

HUMAN  NEWS



McDonald’s is doubling down on automation tech, including automation to take and parse orders, as well as a focus on drive-thru. Again, COVID didn’t start this trend, but it accelerated it. More



Scientists successfully injected an in-utero monkey with the gene that made human brains larger, which made the brain grow and become more human-like. They didn’t let the monkey be delivered though, because they said that would have crossed an ethical line. More



Unemployment claims in the US fell to the lowest level since March, at 709,000. More



The US divorce rate has hit a 50-year low. More



One good sign in the American jobs market is that churn is increasing, meaning there are more people leaving their jobs voluntarily. Over 3 million did so in August, and layoffs declined and openings increased. More



MakAir is an open-source ventilator, and it’s now being used to treat human patients. More



The New York Times has hit 7 million digital subscribers and is now making more from online than print. More



US visas for Chinese students are down 99%. More



A very unscientific poll on Hacker News asked, “Are you depressed?”, and the results were 53% yes. Again, who knows if that was gamed or how clean it was, but if that’s anywhere near accurate that’s troubling. More Discussion



78% of Americans say there is more crime in the US in the last year, but far fewer say there is more crime in their area. More



IDEAS, TRENDS, & ANALYSIS



A fascinating video clip of Neil Postman talking about Cyberspace in 1995. His book, Amusing Ourselves to Death, is one of my favorite books of all time. More



Disney+ now has 73 million subscribers. More



UPDATES



Reading:



I just finished:

The Uprising, which is the UL Book Club book of the month
We, which is the dystopian precursor to 1984 and Brave New World

Currently reading:

Prestige, a book about hiring at elite institutions 

DISCOVERY  



CrowdSec — A modern, crowdsourced replacement for Fail2Ban written in Go. More



Drumbit — an online drum machine. More



Cartography — An asset management tool that does visualizations via Neo4j. More



Linux Command One-liners More



A visualization of American trust in TV news media. More



A CISO Mindmap — What do security professionals really do? More



Making money in bounty is all about being unique, whether that’s through new bugs, speed, or finding special targets. More



There’s a Twitter hashtag for hacking with automation. #hackwithautomation



A Twitter thread on how bad Google is at UX. Highly entertaining. And true. More



DNSX — A new DNS tool from ProjectDiscovery.io that allows you to perform a high volume of DNS queries using multiple resolvers. More



RECOMMENDATIONS



The Surrender of Culture to Technology (Video) More



APHORISMS



“It is difficult to get a man to understand something when his salary depends upon his not understanding it.”



~ Upton Sinclair

Notes


Sep 8, 2020 — This episode originally had this story wrong in the podcast and newsletter—stating that the JEDI contract went to Oracle. My apologies for the error.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I’m kind of obsessed with organizing my RSS feeds, and I try to do a restructure every two years or so.

This time I’m going hyper-specific with tags.

Tags are basically how Feedly does organization, so it’s a natural fit. But prior to this re-org I was using very large tags like, security, technology, politics.

Those turned out to be too broad.

So what I’m looking to do now is break them out into smaller pieces.

The naming mechanism is basically: subject-subtopic-type, or subject-qualifier which gives me tags like:

politics-outlets
news-high-quality
security-vulnerabilities
influencers-science
politics-news-high-quality

This way I can inforporate the context—and trust level—when I’m reading headlines. And it allows me to use two main techniques to prioritize my reading:

Add the highest quality ones to Favorites
Sort the list from top to bottom by priority

So if I’m in a massive rush I can just check Favorites.

And if I have time I can start from the top and move down.

And if I am only interested in certain topics, or certain sources, I can check just those tags.

Hope this helps give someone ideas on how to organize their stuff.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I have a good friend who’s conservative and strongly against abortion. I see him posting stuff on Facebook about it, which triggers me to respond. But I never do because Facebook is not a place for serious discussion. It’s a place for partial discussion that enflames both sides.

So here’s my opinion on abortion, and why.

This is best captured in Sam Harris’ The Moral Landscape.

To me, the bedrock of human morality is the experience of conscious creatures. I don’t believe there’s any evidence that humans arrive in this world with a non-material soul. Having anything non-material is an extraordinary claim, and thus requires extraordinary evidence.

So, as far as I can tell, we are just another life form on this planet. We are wondrous, to be sure, but we can see sparks of that same beauty in many other living creatures we share the planet with.

A cute baby monkey doing cute baby things

It’s possible to imagine a material version of a soul if you constrain it to beauty and uniqueness.

I can’t find a clear, moral line between causing pain and suffering to a human versus—say—a baby monkey. They feel pain. They fear things. They love things. They understand the concept of good vs. bad behavior, and being held responsible for choices.

Those are all good reasons to not want to harm something, but they’re not needed. All you need is the first one: they feel pain. Not just physical pain, but emotional pain. Lots of animals have this, and that is what matters most to me from a moral standpoint.

The moment we have evidence of another realm we’ll need to add that to the equation.

Morality is about suffering and happiness. Full stop. Conscious experience is the only realm we know of that matters for these things, and therefore it’s the only realm we should consider.

And that brings us to abortion.

Abortion to me is a simple, horrific calculus. It’s about calculating suffering. Specifically, it’s about minimizing suffering. The question is, how do we do that calculation? How do we weigh it?

What matters more? The suffering of an unborn child, or the suffering of a mother? And what about society? What about members of a society that see abortion in a certain way? What about the very fact that abortion could be desired or necessary at all, for anyone?

All of these questions need to be factored into a model of understanding for human suffering. It seems callous to do so, and it’s obviously very difficult work, but the alternative to using a model is making policy decisions for an entire society based on the subjective beliefs of various factions.

One faction might be a bunch of non-scientific or unsympathetic atheists who believe life and consciousness starts at age 3. Another faction might be strict Christians who believe the Bible says life starts at conception. These two groups cannot agree because they’re not playing the same sport. Or even worse—they’re trying to play the same sport but using different rules.

This shared model concept applies to more than just abortion, e.g., criminal justice.

Logical discussion and debate require a shared understanding of the world, and for abortion that necessitates a model for the benefit and harm of a given policy.

How much do human infants experience at various ages in the womb?
How much pain can they experience?
How much danger are women in from various types of pregnancy issues?
At what age of development do pain and experience increase?
What level of suffering does a mother experience in the case of forced pregnancy?
What is their level of suffering if forced to have that child?
How much suffering do unwanted children present to mothers?
How much suffering do unwanted children present society?
How much suffering does an aborted child actually experience at each level of development?

These are horrific fucking questions. Horrific.

But if we cannot ask them, and work towards answering them, then we can’t have a logical conversation about abortion. Period.

If you want to see this in a context that’s a bit less triggering, think about prisons. Or more specifically, human incarceration.

Let’s not even talk about private prisons that inventivize every part of the incarceration lifecycle.

Freedom is a key requirement for human happiness. Yet we think nothing of holding millions of humans in tiny cages for various types of crimes. We try to make the punishment fit the crimes—usually—and we have rules for how prisoners can be treated. But we’re still robbing people of their freedom.

Many will say:

Well, they deserved it. This is punishment for their actions. Babies haven’t done anything wrong.

Sure, but that’s not the point. The point is that we’ve engaged in moral calculus, just as we need to do with abortion. We’ve said stealing a car gets you X, while stabbing someone gets you Y, measured in how much human freedom you lose.

It’s the same thing with abortion really. We’re taking something that should never happen—restricting the freedom of a fellow human being, or ending the life of a human being that hasn’t been born yet—and we’re allowing that thing to happen for a reason.

That’s what we’re doing. That’s what policy is. You make this adjustment, for this reason, to avoid this outcome, or to attempt to get a different one.

Both abortion and human incarceration are abominations, and we should be ashamed of ourselves for engaging in either of them. No question.

But—unfortunately—we’re still in a phase of human civilization development where both are needed.

And our adoption story isn’t good enough to change that calculus either.

People still commit crimes, and people still have sex in situations where they’re not willing or able to become good parents. That’s it. That’s the reason we have this problem.

Whether it’s bad upbringing, bad social safety nets, random bad luck, a lack of science or moral education—whatever—it doesn’t matter. We have all those problems in our societies, and all those problems cause both crime and sex that won’t produce children landing in an ideal home.

Note that all these societal problems seem to influence both crime and abortion.

The question isn’t whether incarceration or abortion should happen. We already established that neither should. The question is, given the harm caused by unpunished crime and millions of adult humans with bad upbringings existing in the world—what should be done?

Here’s what abortion comes down to for me. Think of the suffering of a man who lives for 60 years, who grew up without parents, who moved throughout foster homes and the criminal justice system, and who caused immeasurable harm to others along the way.

What’s their level of suffering—on a 1000-point scale. And remember, it’s not just their suffering, but the suffering that was injected into the world by them existing. So all their pain, and all the pain that they’ve caused others due to their own pain. What’s the number?

More data on inmates and family backgrounds.

Probably high. And yeah—before you say anything—obviously some people beat all the odds, grow up in foster homes, have horrible childhoods, and grow up to be extremely happy and productive members of society. 100% true. But the data clearly shows that a massive percentage of the people who commit crimes lacked a stable, loving household growing up.

But let’s not just take one of those people because any one person can be an anomaly. Let’s take 1,000 of those men. Or 100,000. Or a million. Again, these are men who might have not been born if contraception were easier, or cheaper, or if the woman had an easy path to terminate the pregnancy.

So, one million men in the world that the mother didn’t really want, or wasn’t prepared to have. Calculate the suffering that they have experienced and created in the world.

Now compare that with the suffering experienced by the one million fetuses that were terminated early in their life, before they exited the womb.

How do those two values compare?

Based on what I know of the science, the social science, and from everything I’ve learned in my life—it’s not even close. Adults who grow up neglected experience—and cause—far more pain than do tiny little fetuses when they are terminated.

And again—I’m already agreeing with you that abortion is bad. I’m already agreeing with you that one abortion is one too many.

All I’m saying is that it’s our responsibility as humans—and as members of a modern society—to do this calculus. It’s the only moral way to create policy.

Just as with incarceration, we must find and implement alternatives that reduce our need to do unthinkable things to our fellow humans. Better education, better contraception, better adoption infrastructure, better foster care.

All these can help us reduce the need for extreme, unacceptable, but necessary measures in dealing with our current reality.

You should see abortion neither as a noble or as an immoral act. Think about it like prisons. It’s a backstop control for failed human civilization, and the better we get at addressing the underlying causes the faster we can get to a world of zero abortions and zero incarcerations.

It’ll be a while.

Notes


There are other levers that can reduce the need for abortions as well, such as better adoption infrastructure. The goal is to reduce the number of neglected children, not to increase abortions.
Title image from Vice.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I went a long time without understanding the basics of Agile, so here’s a quick primer for myself that I hope is useful for others as well.

What is Agile?

Agile is the concept and Scrum is the methodology.

Atlassian has a great definition.

Agile is an iterative approach to project management and software development that helps teams deliver value to their customers faster and with fewer headaches. Instead of betting everything on a “big bang” launch, an agile team delivers work in small, but consumable, increments. Requirements, plans, and results are evaluated continuously so teams have a natural mechanism for responding to change quickly.

Atlassian Agile Coach

TL;DR: Agile is the concept of developing software in short bursts rather than massive releases so that teams can adjust to change.

The biggest confusion is mixing Agile the philosophy with Scrum the methodology.

What are Epics?

An agile epic is a body of work that can be broken down into specific tasks (called user stories) based on the needs/requests of customers or end-users.

Atlassian Agile Coach

Epics should be named so that it’s extremely clear what you’re getting when it launches.

Epics are often features or other major pieces of functionality that must be broken down into multiple tasks. If the project were a real estate website, an epic might be adding a 3D touring feature. Or if the project were a SaaS HR application, an epic might be a timesheet function.

TL;DR: Epics are bodies of work that correspond to a significant feature or event.

What are User Stories?

A breakdown of Epics, Stories, and Sprints

A user story is an informal, general explanation of a software feature written from the perspective of the end-user.

Atlassian Agile Coach

They’re features, but captured as narratives.

User stories are not just lists of features; they’re descriptions of a feature that describe what the end-user wants to get out of that feature. They’re best captured as a narrative sentence, like:

As a [persona], I [want to], [so that].

User story examples


As Max, I want to invite my friends, so we can enjoy this service together.
As Sascha, I want to organize my work, so I can feel more in control.
As a manager, I want to be able to understand my colleagues’ progress, so I can better report our successes and failures.

TL;DR: Stories are features captured as narrative sentences from the perspective of a particular end-user.

What are Initiatives?

Initiatives unify epics through goals

Initiatives are collections of epics that drive toward a common goal.

Initiatives often cross multiple teams.

Initiatives are collections of epics captured as a goal, and should be named accordingly. For example, “Bounce Rate Reduction” could be an initiative because, 1) it will likely include multiple epics, and 2) its purpose is clear.

TL;DR: Initiatives are collections of epics captured as a goal.

What are Themes?

Themes are strategic labels that can be applied to initiatives, epics, or stories.

Themes are tags that can be applied anywhere, not parents of Initiatives.

You can think of themes as tags since you can attach them to any level. A theme might be something like, “Safety First”, and that label/tag can then be applied to an Initiative called, “Encryption Everywhere”, and an epic called, “TLS 3.1 Upgrade”.

TL;DR: Themes are strategic tags.

What is Scrum?

Scrum is a framework that helps teams work together by encouraging teams to learn through experiences, self-organize while working on a problem, and reflect on their wins and losses to continuously improve.

Atlassian Agile Coach

Scrum can be used for any kind of teamwork.

TL;DR: Scrum is a cooperation framework.

What are Sprints?

The process of creating and managing sprints

A sprint is a short, time-boxed period when a scrum team works to complete a set amount of work.

Atlassian Agile Coach

And another from Megan Cook.

With Scrum, a product is built in a series of iterations called sprints that break down big, complex projects into bite-sized pieces.

Megan Cook, Group Product Manager, Atlassian

Agile is philosophy, Scrum is methodology, Sprints are timeboxes.

Sprints are short periods of time where a certain amount of work is to be done. Sprints contain stories, which of course are part of Epics, but some epics will cross into multiple Sprints.

TL;DR: Sprints are set periods of time where a defined number of stories are worked on.

What is Kanban?

Trello uses Kanban, for example.

Kanban is a popular framework used to implement agile software development. It requires real-time communication of capacity and full transparency of work.

Atlassion Agile Coach

With Kanban, items are represented visually on a whiteboard, allowing team members to see the state of every piece of work in realtime. Kanban is both the board and the approach to managing work in a visual way, which helps limit work-in-progress and maximize a team’s efficiency.

TL;DR: Kanban is a visual way to manage work that’s organized via Agile/Scrum.

Summary


Agile is the philosophy of doing work in short iterations to adjust to change.
Scrum is the methodology for doing work in an Agile way.
Themes are strategic tags you can apply to anything within Scrum.
Initiatives are strategic containers for Epics/features.
Epics are significant features that need be broken down into smaller pieces.
Stories are discrete features captured as narratives from the perspective of the end-user.
Kanban is a visual way to manage Agile work.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I avoid Alex Jones because once you’ve seen part of his schtick you’ve seen it all.

But I saw he was on Joe Rogan recently and I wanted to see what Joe was doing with him. I know Joe kind of likes Alex, but he also thinks he’s full of shit. But Joe is also hyper-curious, and used to be into a lot of conspiracies, …so he was willing to hear him out again.

I was curious how that would play out, and I was pleasantly surprised. He basically outed him as a complete imbecile in front of millions of people.

He kept interrupting Alex, telling him he couldn’t say what he just said without having data to back it up.

JONES: Coal is the cleanest type of energy.

…

ROGAN: Is it?

Jones kept pulling up his silly collection of papers, but over time it became extremely clear that he was using them as a shield. A paper shield.

Joe also kept having Jaime pull up data in realtime to fact-check his claims. He used directness and intelligence to counter Alex, which was extremely effective.

When you silence someone you make it seem like his truth is TOO POWERFUL FOR MORTALS! It feeds the conspiracy that Alex has the truth that people want to hide. In that way, silencing makes him more powerful.

Calling him out exposes him as a fraud in front of fans and haters alike.

You could tell Joe wasn’t enjoying making this guy look like a dumbass, but that he felt his duty to truth was a more important calling.

It was as if he told Alex beforehand that he wasn’t going to be gentle with him, and that he better come prepared. And Alex showed up like his magic show would work just like before.

And then it didn’t.

I don’t always agree with Joe on things, but I think he’s a deeply curious person with a good heart. And I credit him more than anyone with spawning a culture of long-form conversation and civil disagreement that we see some places on the internet.

I think he did the world a tremendous service in this episode. He, better than any left-wing media outlet, successfully displayed how much Alex Jones’ game was built on bullshit.

And he did it while offering him every chance. He tried to steelman him. He gave him an honest shot, and the ideas simply didn’t hold up under scrutiny.

This is how we clean up our ideasphere. We expose ideas to sunlight, in good faith, and we let people decide what they think.

Notes


I do think there are cases where certain ideas are too toxic, and too fast-spreading, to allow them to spread. An example would be a conspiracy theory launched by a hostile government designed to undermine democracy. That’s the type of conversation you want to be able to have, but maybe not in the middle of an election where it could affect outcomes before being assessed properly. But I don’t think most of the dumb shit Alex talks about comes close to that level of danger.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

You’ve reached a piece of member-only content.

Subscribe

If you’re already a subscriber, please login here.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I think there are four main trends that will play out in the field of information security in the next 20 years.

(2021-2030) A Surge in Demand for InfoSec people will result in many more professionals being trained and placed within companies, likely using more of a trade/certification model than a 4-year university model.
(2026-) Cyberinsurance will ascend as the primary mechanism for making cybersecurity-related product and service decisions within companies.
(2030-) Automation & AI will start to result in fewer jobs filled by high-skill people as opposed to many jobs filled by lower-skilled workers.
(2035-) Dueling Algorithms will become the main way that top-tier, large organizations both attack and defend.

Let’s look at each of these in more detail.

1. A Surge in Demand

(ISC)2 says there were over 4 million too few cybersecurity people in 2019.

This one is simple and everyone know’s it’s happening already. The world’s small businesses, hospitals, schools, and local governments are starved for cybersecurity talent, and there aren’t nearly enough people to fill the roles.

70% of cybersecurity professionals claim that their organization is impacted by the cybersecurity skills shortage.

ESG and ISSA

I think we need a national program to address this.

This gap between need and skilled people is even more acute due to the rise of the ransomware threat, and the world is going to have to respond with more people who can at least do the basics, even if that’s through short certification programs.

2. Cyberinsurance Will Ascend

Jeremiah Grossman and I have been talking about the rise of cybersecurity insurance for years now. I wrote my first big piece on it in August of 2015, and I still think it’s the future.

In short, it’s not smart to bet against insurance. It’s an industry that worships data because their profits depend on it, and that’s why they’ll be the first to be able to tell us what works and what doesn’t work in security.

Not only will that result in industry expertise—and eventually actuarial data—but they’ll be massively assisted by ever-improving AI that will be able to smell hackable organizations the way it detects ideal customers today.

Insurance companies will perform massive, centralized data aggregation exercises as part of their setup process for customers, and they’ll use that as input into their algorithms that determine risk of breach payout.

3. Automation (powered by AI)

Nobody knows when this crossover will happen, but I think it’ll be between 10 and 15 years.

At some point, there will be a crossover between the increased demand for trained cybersecurity people and the rising efficiency of security technologies and security automation—assisted by more artificial intelligence.

New IT platforms will require less configuration, have more security built in, will include continuous asset management, as well as continuous configuration monitoring. And when something goes wrong, many of the issues will be fixed automatically or with minimal need for human interaction.

Think cloud security products, plus 15-years of advances.

In short, better platforms, with better security controls, all monitored and managed with automation and AI. There will still be a need for people to run these systems, but it’ll be fewer people who are specialists in the large, all-in-one platforms like AWS, Azure, or whatever is on top then.

4. Dueling Algorithms

The final stage of this is both tangible but also sci-fi, and essentially comes down to competing infrastructure that does:

Continuous Inventory
Continuous Security Monitoring
Automated Changes When Issues Are Found
Notifications to Humans When Automation Won’t Work (Prioritized Curation)

This model is also relevant for large enterprises.

The best example of the need for this is national level security intelligence, reconnaisance, and vulnerability assessment.

Every country will have massive collections of internet and internal-facing systems that are continuously scanning and monitoring everything it owns. It will then be using AI to rate the risk level of everything it touches, and if it finds something dangerous it will be able to either 1) remediate it immediately, or 2) notify a human team for investigation and follow-up.

Countries that maintain offensive cyber-capabilities will have this same type of infrastructure running against all their adversaries, and it’ll be doing the same thing in reverse. It’ll be constantly discovering their attack surface, indexing it, and observing it for weaknesses—all using AI.

Issues that are discovered will either be auto-exploited if possible and/or if the issue is time-sensitive, or the discovery will be prioritized and sent to a human team for additional scrutiny.

The future will be all about the best crawlers paired with the best AI.

So the cyber battleground will become a set of collosal discovery/monitoring infrastructures, which are working as close to realtime as possible, all being fed into AI that never sleeps. And that infrastructure will be fed into elite teams of humans ready to work on whatever the AI finds.

And this is for both attack and defense.

So the more thorough your automation, the faster it runs, the better the algorithms you have for detecting weaknesses and exploiting them using automation, and the better your human support teams—the better off that entity will be.

That’s the distant future of InfoSec, with humans playing less and less a part in the equation as time goes on.

Here’s my talk on this topic at DEFCON in 2020.

And this isn’t fantasy. I participate in the OSINT/Bounty/Recon scene and many of us in the field have been working on this stuff for years already, minus the AI which is still a bit early. But the idea of continuously monitoring—and even taking automatic action upon things that are discovered—is already happening in the infosec community, so you know it’s happening at the state level as well.

Ok, fine, but what do I do to get ready?

Well it depends who you are. If you’re a small to medium-sized company, find someone or some product that can get this type of infrastructure going for you.

If you’re an individual practitioner, become an expert in these types of infrastructure. If you want to ride the human work wave in InfoSec as long as possible, learn the big platforms like AWS, Azure, etc., with a focus in securing them.

And make sure you are good with data, which really means knowing how to code and use APIs. I recommend strong Linux and Python skills, with Go as a nice to have.

Summary


I think there are four big trends for the future of infosec
A Surge in Demand, The Rise of Cyberinsurance, The Rise of Automation, and Dueling Algorithms
To survive as a human for as long as possible, become an expert in the big unified platforms
Know how to get data in and out of APIs


Notes


Keep in mind that trend #1 will be counterbalanced by the growth of people who need basic information security help. The question is when those two trends cross over.
Image from information-age.com.
If you want maxiumum safety, learn some data science and lift your data game even higher.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I think there are four main trends that will play out in the field of information security in the next 20 years.

(2021-2030) A Surge in Demand for InfoSec people will result in many more professionals being trained and placed within companies, likely using more of a trade/certification model than a 4-year university model.
(2026-) Cyberinsurance will ascend as the primary mechanism for making cybersecurity-related product and service decisions within companies.
(2030-) Automation & AI will start to result in fewer jobs filled by high-skill people as opposed to many jobs filled by lower-skilled workers.
(2035-) Dueling Algorithms will become the main way that top-tier, large organizations both attack and defend.

Let’s look at each of these in more detail.

1. A Surge in Demand

(ISC)2 says there were over 4 million too few cybersecurity people in 2019.

This one is simple and everyone know’s it’s happening already. The world’s small businesses, hospitals, schools, and local governments are starved for cybersecurity talent, and there aren’t nearly enough people to fill the roles.

70% of cybersecurity professionals claim that their organization is impacted by the cybersecurity skills shortage.

ESG and ISSA

I think we need a national program to address this.

This gap between need and skilled people is even more acute due to the rise of the ransomware threat, and the world is going to have to respond with more people who can at least do the basics, even if that’s through short certification programs.

2. Cyberinsurance Will Ascend

Jeremiah Grossman and I have been talking about the rise of cybersecurity insurance for years now. I wrote my first big piece on it in August of 2015, and I still think it’s the future.

In short, it’s not smart to bet against insurance. It’s an industry that worships data because their profits depend on it, and that’s why they’ll be the first to be able to tell us what works and what doesn’t work in security.

Not only will that result in industry expertise—and eventually actuarial data—but they’ll be massively assisted by ever-improving AI that will be able to smell hackable organizations the way it detects ideal customers today.

Insurance companies will perform massive, centralized data aggregation exercises as part of their setup process for customers, and they’ll use that as input into their algorithms that determine risk of breach payout.

3. Automation (powered by AI)

Nobody knows when this crossover will happen, but I think it’ll be between 10 and 15 years.

At some point, there will be a crossover between the increased demand for trained cybersecurity people and the rising efficiency of security technologies and security automation—assisted by more artificial intelligence.

New IT platforms will require less configuration, have more security built in, will include continuous asset management, as well as continuous configuration monitoring. And when something goes wrong, many of the issues will be fixed automatically or with minimal need for human interaction.

Think cloud security products, plus 15-years of advances.

In short, better platforms, with better security controls, all monitored and managed with automation and AI. There will still be a need for people to run these systems, but it’ll be fewer people who are specialists in the large, all-in-one platforms like AWS, Azure, or whatever is on top then.

4. Dueling Algorithms

The final stage of this is both tangible but also sci-fi, and essentially comes down to competing infrastructure that does:

Continuous Inventory
Continuous Security Monitoring
Automated Changes When Issues Are Found
Notifications to Humans When Automation Won’t Work (Prioritized Curation)

This model is also relevant for large enterprises.

The best example of the need for this is national level security intelligence, reconnaisance, and vulnerability assessment.

Every country will have massive collections of internet and internal-facing systems that are continuously scanning and monitoring everything it owns. It will then be using AI to rate the risk level of everything it touches, and if it finds something dangerous it will be able to either 1) remediate it immediately, or 2) notify a human team for investigation and follow-up.

Countries that maintain offensive cyber-capabilities will have this same type of infrastructure running against all their adversaries, and it’ll be doing the same thing in reverse. It’ll be constantly discovering their attack surface, indexing it, and observing it for weaknesses—all using AI.

Issues that are discovered will either be auto-exploited if possible and/or if the issue is time-sensitive, or the discovery will be prioritized and sent to a human team for additional scrutiny.

The future will be all about the best crawlers paired with the best AI.

So the cyber battleground will become a set of collosal discovery/monitoring infrastructures, which are working as close to realtime as possible, all being fed into AI that never sleeps. And that infrastructure will be fed into elite teams of humans ready to work on whatever the AI finds.

And this is for both attack and defense.

So the more thorough your automation, the faster it runs, the better the algorithms you have for detecting weaknesses and exploiting them using automation, and the better your human support teams—the better off that entity will be.

That’s the distant future of InfoSec, with humans playing less and less a part in the equation as time goes on.

Here’s my talk on this topic at DEFCON in 2020.

And this isn’t fantasy. I participate in the OSINT/Bounty/Recon scene and many of us in the field have been working on this stuff for years already, minus the AI which is still a bit early. But the idea of continuously monitoring—and even taking automatic action upon things that are discovered—is already happening in the infosec community, so you know it’s happening at the state level as well.

Ok, fine, but what do I do to get ready?

Well it depends who you are. If you’re a small to medium-sized company, find someone or some product that can get this type of infrastructure going for you.

If you’re an individual practitioner, become an expert in these types of infrastructure. If you want to ride the human work wave in InfoSec as long as possible, learn the big platforms like AWS, Azure, etc., with a focus in securing them.

And make sure you are good with data, which really means knowing how to code and use APIs. I recommend strong Linux and Python skills, with Go as a nice to have.

Summary


I think there are four big trends for the future of infosec
A Surge in Demand, The Rise of Cyberinsurance, The Rise of Automation, and Dueling Algorithms
To survive as a human for as long as possible, become an expert in the big unified platforms
Know how to get data in and out of APIs


Notes


Keep in mind that trend #1 will be counterbalanced by the growth of people who need basic information security help. The question is when those two trends cross over.
Image from information-age.com.
If you want maxiumum safety, learn some data science and lift your data game even higher.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Regardless of who wins the presidency in 2020 there will be an incandescent conversation around polling. In short, how did they get it so wrong?

The graph above shows some top polls for Florida on November 2nd. Now compare that to how the state actually went.

Trump’s results in Florida from the New York Times

That’s an extraordinary miss of up to 12 percentage points in some polls, swinging from Biden +9 to Trump’s +3.

Nate Silver seems to have turned into Nate Copper.

But there’s a remarkably simple lesson in this that at least one pollster had already locked onto.

Don’t ask people their opinions directly.

Robert Cahaly is basically the new Nate Silver. He runs the Trafalgar Group poll, and he’s been using indirect techniques to run polls for a long time. Here’s what he had for Florida in October:

Trafalgar polling for Florida in October of 2020

He still didn’t get every state right, though.

He had Trump up a bit over 2% in Florida, which is very close to where it’ll likely land after everything is settled. And it wasn’t just Florida—he outperformed the other polls across the spread.

@SteveDoocy @kilmeade @ainsleyearhardt not all the pollsters were wrong. Our @trafalgar_group #polls were solid pic.twitter.com/lFgD45VOkQ

— Robert C. Cahaly (@RobertCahaly) November 4, 2020

I highly recommend this book.

The technique he uses is something I just read about in a book called Everybody Lies, written by a data ex-Google data scientist. It’s about how asking people their opinion is one of the worst ways to find out what they’re thinking.

One technique he talks about is looking at Google Search data to see what people really think about things. Why? Because Google searches are private, and that’s what makes them honest.

Cahaly no longer shares his questions.

Trafalgar uses a similar approach to polling in that he doesn’t trust anything asked or answered directly. One of his early techniques used something like the Google Search data trick. Instead of asking:

Would you feel uncomfortable if a minority family moved into your neighborhood?

(which is likely to trigger all sorts of self-analysis and face-saving)

…they instead asked something like:

Would most people who live near you feel uncomfortable if a minority family moved into your neighborhood?

In other words, it’s not just lying to the pollster we have to worry about here; it’s also people lying to themselves. Cahaly talks in interviews about people not wanting to appear a certain way to the pollster, and that type of self-awareness seems likely to produce noise in the poll data.

I’m not sure who’s going to win yet, but I can tell you that Nate Sliver has lost.

Taleb was right. You can’t over-rely on polls and models when 2020 human psychology is a turbulent mess of Black Swans.

Even if Biden wins, the models were deeply flawed.

— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) November 4, 2020

The second version of this question allows people to speak freely about opinions they’re likely to share, but under the protection of, ‘People I know are likely to feel this way…’

The takeaway

Starting with a polling industry blood bath.

My expectation is that we’re about to see a revolution in polling that moves the industry away from Nate Silver’s approach—it turns out the aggregation of bullshit just results in a larger pile of bullshit—and towards Trafalgar and the concepts in Everybody Lies.

In a word, proxies.

Pollsters are about to start searching for ways to measure people’s opinions without asking them directly. Because yeah…that clearly doesn’t work.

Notes


I think the “Shy Trump Voter” is an element of this, but it’s a subclass of the Everybody Lies phenomenon. People might be proud of supporting Trump and just not want to share it out of self-preservation, but some subset might not even know how much they support him until they get ready to vote. And in both cases direct polling will fail.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.