Daniel Miessler's Blog, page 59

I’m kind of obsessed with organizing my RSS feeds, and I try to do a restructure every two years or so.

This time I’m going hyper-specific with tags.

Tags are basically how Feedly does organization, so it’s a natural fit. But prior to this re-org I was using very large tags like, security, technology, politics.

Those turned out to be too broad.

So what I’m looking to do now is break them out into smaller pieces.

The naming mechanism is basically: subject-subtopic-type, or subject-qualifier which gives me tags like:

politics-outlets
news-high-quality
security-vulnerabilities
influencers-science
politics-news-high-quality

This way I can inforporate the context—and trust level—when I’m reading headlines. And it allows me to use two main techniques to prioritize my reading:

Add the highest quality ones to Favorites
Sort the list from top to bottom by priority

So if I’m in a massive rush I can just check Favorites.

And if I have time I can start from the top and move down.

And if I am only interested in certain topics, or certain sources, I can check just those tags.

Hope this helps give someone ideas on how to organize their stuff.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I have a good friend who’s conservative and strongly against abortion. I see him posting stuff on Facebook about it, which triggers me to respond. But I never do because Facebook is not a place for serious discussion. It’s a place for partial discussion that enflames both sides.

So here’s my opinion on abortion, and why.

This is best captured in Sam Harris’ The Moral Landscape.

To me, the bedrock of human morality is the experience of conscious creatures. I don’t believe there’s any evidence that humans arrive in this world with a non-material soul. Having anything non-material is an extraordinary claim, and thus requires extraordinary evidence.

So, as far as I can tell, we are just another life form on this planet. We are wondrous, to be sure, but we can see sparks of that same beauty in many other living creatures we share the planet with.

A cute baby monkey doing cute baby things

It’s possible to imagine a material version of a soul if you constrain it to beauty and uniqueness.

I can’t find a clear, moral line between causing pain and suffering to a human versus—say—a baby monkey. They feel pain. They fear things. They love things. They understand the concept of good vs. bad behavior, and being held responsible for choices.

Those are all good reasons to not want to harm something, but they’re not needed. All you need is the first one: they feel pain. Not just physical pain, but emotional pain. Lots of animals have this, and that is what matters most to me from a moral standpoint.

The moment we have evidence of another realm we’ll need to add that to the equation.

Morality is about suffering and happiness. Full stop. Conscious experience is the only realm we know of that matters for these things, and therefore it’s the only realm we should consider.

And that brings us to abortion.

Abortion to me is a simple, horrific calculus. It’s about calculating suffering. Specifically, it’s about minimizing suffering. The question is, how do we do that calculation? How do we weigh it?

What matters more? The suffering of an unborn child, or the suffering of a mother? And what about society? What about members of a society that see abortion in a certain way? What about the very fact that abortion could be desired or necessary at all, for anyone?

All of these questions need to be factored into a model of understanding for human suffering. It seems callous to do so, and it’s obviously very difficult work, but the alternative to using a model is making policy decisions for an entire society based on the subjective beliefs of various factions.

One faction might be a bunch of non-scientific or unsympathetic atheists who believe life and consciousness starts at age 3. Another faction might be strict Christians who believe the Bible says life starts at conception. These two groups cannot agree because they’re not playing the same sport. Or even worse—they’re trying to play the same sport but using different rules.

This shared model concept applies to more than just abortion, e.g., criminal justice.

Logical discussion and debate require a shared understanding of the world, and for abortion that necessitates a model for the benefit and harm of a given policy.

How much do human infants experience at various ages in the womb?
How much pain can they experience?
How much danger are women in from various types of pregnancy issues?
At what age of development do pain and experience increase?
What level of suffering does a mother experience in the case of forced pregnancy?
What is their level of suffering if forced to have that child?
How much suffering do unwanted children present to mothers?
How much suffering do unwanted children present society?
How much suffering does an aborted child actually experience at each level of development?

These are horrific fucking questions. Horrific.

But if we cannot ask them, and work towards answering them, then we can’t have a logical conversation about abortion. Period.

If you want to see this in a context that’s a bit less triggering, think about prisons. Or more specifically, human incarceration.

Let’s not even talk about private prisons that inventivize every part of the incarceration lifecycle.

Freedom is a key requirement for human happiness. Yet we think nothing of holding millions of humans in tiny cages for various types of crimes. We try to make the punishment fit the crimes—usually—and we have rules for how prisoners can be treated. But we’re still robbing people of their freedom.

Many will say:

Well, they deserved it. This is punishment for their actions. Babies haven’t done anything wrong.

Sure, but that’s not the point. The point is that we’ve engaged in moral calculus, just as we need to do with abortion. We’ve said stealing a car gets you X, while stabbing someone gets you Y, measured in how much human freedom you lose.

It’s the same thing with abortion really. We’re taking something that should never happen—restricting the freedom of a fellow human being, or ending the life of a human being that hasn’t been born yet—and we’re allowing that thing to happen for a reason.

That’s what we’re doing. That’s what policy is. You make this adjustment, for this reason, to avoid this outcome, or to attempt to get a different one.

Both abortion and human incarceration are abominations, and we should be ashamed of ourselves for engaging in either of them. No question.

But—unfortunately—we’re still in a phase of human civilization development where both are needed.

And our adoption story isn’t good enough to change that calculus either.

People still commit crimes, and people still have sex in situations where they’re not willing or able to become good parents. That’s it. That’s the reason we have this problem.

Whether it’s bad upbringing, bad social safety nets, random bad luck, a lack of science or moral education—whatever—it doesn’t matter. We have all those problems in our societies, and all those problems cause both crime and sex that won’t produce children landing in an ideal home.

Note that all these societal problems seem to influence both crime and abortion.

The question isn’t whether incarceration or abortion should happen. We already established that neither should. The question is, given the harm caused by unpunished crime and millions of adult humans with bad upbringings existing in the world—what should be done?

Here’s what abortion comes down to for me. Think of the suffering of a man who lives for 60 years, who grew up without parents, who moved throughout foster homes and the criminal justice system, and who caused immeasurable harm to others along the way.

What’s their level of suffering—on a 1000-point scale. And remember, it’s not just their suffering, but the suffering that was injected into the world by them existing. So all their pain, and all the pain that they’ve caused others due to their own pain. What’s the number?

More data on inmates and family backgrounds.

Probably high. And yeah—before you say anything—obviously some people beat all the odds, grow up in foster homes, have horrible childhoods, and grow up to be extremely happy and productive members of society. 100% true. But the data clearly shows that a massive percentage of the people who commit crimes lacked a stable, loving household growing up.

But let’s not just take one of those people because any one person can be an anomaly. Let’s take 1,000 of those men. Or 100,000. Or a million. Again, these are men who might have not been born if contraception were easier, or cheaper, or if the woman had an easy path to terminate the pregnancy.

So, one million men in the world that the mother didn’t really want, or wasn’t prepared to have. Calculate the suffering that they have experienced and created in the world.

Now compare that with the suffering experienced by the one million fetuses that were terminated early in their life, before they exited the womb.

How do those two values compare?

Based on what I know of the science, the social science, and from everything I’ve learned in my life—it’s not even close. Adults who grow up neglected experience—and cause—far more pain than do tiny little fetuses when they are terminated.

And again—I’m already agreeing with you that abortion is bad. I’m already agreeing with you that one abortion is one too many.

All I’m saying is that it’s our responsibility as humans—and as members of a modern society—to do this calculus. It’s the only moral way to create policy.

Just as with incarceration, we must find and implement alternatives that reduce our need to do unthinkable things to our fellow humans. Better education, better contraception, better adoption infrastructure, better foster care.

All these can help us reduce the need for extreme, unacceptable, but necessary measures in dealing with our current reality.

You should see abortion neither as a noble or as an immoral act. Think about it like prisons. It’s a backstop control for failed human civilization, and the better we get at addressing the underlying causes the faster we can get to a world of zero abortions and zero incarcerations.

It’ll be a while.

Notes


There are other levers that can reduce the need for abortions as well, such as better adoption infrastructure. The goal is to reduce the number of neglected children, not to increase abortions.
Title image from Vice.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I went a long time without understanding the basics of Agile, so here’s a quick primer for myself that I hope is useful for others as well.

What is Agile?

Agile is the concept and Scrum is the methodology.

Atlassian has a great definition.

Agile is an iterative approach to project management and software development that helps teams deliver value to their customers faster and with fewer headaches. Instead of betting everything on a “big bang” launch, an agile team delivers work in small, but consumable, increments. Requirements, plans, and results are evaluated continuously so teams have a natural mechanism for responding to change quickly.

Atlassian Agile Coach

TL;DR: Agile is the concept of developing software in short bursts rather than massive releases so that teams can adjust to change.

The biggest confusion is mixing Agile the philosophy with Scrum the methodology.

What are Epics?

An agile epic is a body of work that can be broken down into specific tasks (called user stories) based on the needs/requests of customers or end-users.

Atlassian Agile Coach

Epics should be named so that it’s extremely clear what you’re getting when it launches.

Epics are often features or other major pieces of functionality that must be broken down into multiple tasks. If the project were a real estate website, an epic might be adding a 3D touring feature. Or if the project were a SaaS HR application, an epic might be a timesheet function.

TL;DR: Epics are bodies of work that correspond to a significant feature or event.

What are User Stories?

A breakdown of Epics, Stories, and Sprints

A user story is an informal, general explanation of a software feature written from the perspective of the end-user.

Atlassian Agile Coach

They’re features, but captured as narratives.

User stories are not just lists of features; they’re descriptions of a feature that describe what the end-user wants to get out of that feature. They’re best captured as a narrative sentence, like:

As a [persona], I [want to], [so that].

User story examples


As Max, I want to invite my friends, so we can enjoy this service together.
As Sascha, I want to organize my work, so I can feel more in control.
As a manager, I want to be able to understand my colleagues’ progress, so I can better report our successes and failures.

TL;DR: Stories are features captured as narrative sentences from the perspective of a particular end-user.

What are Initiatives?

Initiatives unify epics through goals

Initiatives are collections of epics that drive toward a common goal.

Initiatives often cross multiple teams.

Initiatives are collections of epics captured as a goal, and should be named accordingly. For example, “Bounce Rate Reduction” could be an initiative because, 1) it will likely include multiple epics, and 2) its purpose is clear.

TL;DR: Initiatives are collections of epics captured as a goal.

What are Themes?

Themes are strategic labels that can be applied to initiatives, epics, or stories.

Themes are tags that can be applied anywhere, not parents of Initiatives.

You can think of themes as tags since you can attach them to any level. A theme might be something like, “Safety First”, and that label/tag can then be applied to an Initiative called, “Encryption Everywhere”, and an epic called, “TLS 3.1 Upgrade”.

TL;DR: Themes are strategic tags.

What is Scrum?

Scrum is a framework that helps teams work together by encouraging teams to learn through experiences, self-organize while working on a problem, and reflect on their wins and losses to continuously improve.

Atlassian Agile Coach

Scrum can be used for any kind of teamwork.

TL;DR: Scrum is a cooperation framework.

What are Sprints?

The process of creating and managing sprints

A sprint is a short, time-boxed period when a scrum team works to complete a set amount of work.

Atlassian Agile Coach

And another from Megan Cook.

With Scrum, a product is built in a series of iterations called sprints that break down big, complex projects into bite-sized pieces.

Megan Cook, Group Product Manager, Atlassian

Agile is philosophy, Scrum is methodology, Sprints are timeboxes.

Sprints are short periods of time where a certain amount of work is to be done. Sprints contain stories, which of course are part of Epics, but some epics will cross into multiple Sprints.

TL;DR: Sprints are set periods of time where a defined number of stories are worked on.

What is Kanban?

Trello uses Kanban, for example.

Kanban is a popular framework used to implement agile software development. It requires real-time communication of capacity and full transparency of work.

Atlassion Agile Coach

With Kanban, items are represented visually on a whiteboard, allowing team members to see the state of every piece of work in realtime. Kanban is both the board and the approach to managing work in a visual way, which helps limit work-in-progress and maximize a team’s efficiency.

TL;DR: Kanban is a visual way to manage work that’s organized via Agile/Scrum.

Summary


Agile is the philosophy of doing work in short iterations to adjust to change.
Scrum is the methodology for doing work in an Agile way.
Themes are strategic tags you can apply to anything within Scrum.
Initiatives are strategic containers for Epics/features.
Epics are significant features that need be broken down into smaller pieces.
Stories are discrete features captured as narratives from the perspective of the end-user.
Kanban is a visual way to manage Agile work.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I avoid Alex Jones because once you’ve seen part of his schtick you’ve seen it all.

But I saw he was on Joe Rogan recently and I wanted to see what Joe was doing with him. I know Joe kind of likes Alex, but he also thinks he’s full of shit. But Joe is also hyper-curious, and used to be into a lot of conspiracies, …so he was willing to hear him out again.

I was curious how that would play out, and I was pleasantly surprised. He basically outed him as a complete imbecile in front of millions of people.

He kept interrupting Alex, telling him he couldn’t say what he just said without having data to back it up.

JONES: Coal is the cleanest type of energy.

…

ROGAN: Is it?

Jones kept pulling up his silly collection of papers, but over time it became extremely clear that he was using them as a shield. A paper shield.

Joe also kept having Jaime pull up data in realtime to fact-check his claims. He used directness and intelligence to counter Alex, which was extremely effective.

When you silence someone you make it seem like his truth is TOO POWERFUL FOR MORTALS! It feeds the conspiracy that Alex has the truth that people want to hide. In that way, silencing makes him more powerful.

Calling him out exposes him as a fraud in front of fans and haters alike.

You could tell Joe wasn’t enjoying making this guy look like a dumbass, but that he felt his duty to truth was a more important calling.

It was as if he told Alex beforehand that he wasn’t going to be gentle with him, and that he better come prepared. And Alex showed up like his magic show would work just like before.

And then it didn’t.

I don’t always agree with Joe on things, but I think he’s a deeply curious person with a good heart. And I credit him more than anyone with spawning a culture of long-form conversation and civil disagreement that we see some places on the internet.

I think he did the world a tremendous service in this episode. He, better than any left-wing media outlet, successfully displayed how much Alex Jones’ game was built on bullshit.

And he did it while offering him every chance. He tried to steelman him. He gave him an honest shot, and the ideas simply didn’t hold up under scrutiny.

This is how we clean up our ideasphere. We expose ideas to sunlight, in good faith, and we let people decide what they think.

Notes


I do think there are cases where certain ideas are too toxic, and too fast-spreading, to allow them to spread. An example would be a conspiracy theory launched by a hostile government designed to undermine democracy. That’s the type of conversation you want to be able to have, but maybe not in the middle of an election where it could affect outcomes before being assessed properly. But I don’t think most of the dumb shit Alex talks about comes close to that level of danger.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

You’ve reached a piece of member-only content.

Subscribe

If you’re already a subscriber, please login here.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I think there are four main trends that will play out in the field of information security in the next 20 years.

(2021-2030) A Surge in Demand for InfoSec people will result in many more professionals being trained and placed within companies, likely using more of a trade/certification model than a 4-year university model.
(2026-) Cyberinsurance will ascend as the primary mechanism for making cybersecurity-related product and service decisions within companies.
(2030-) Automation & AI will start to result in fewer jobs filled by high-skill people as opposed to many jobs filled by lower-skilled workers.
(2035-) Dueling Algorithms will become the main way that top-tier, large organizations both attack and defend.

Let’s look at each of these in more detail.

1. A Surge in Demand

(ISC)2 says there were over 4 million too few cybersecurity people in 2019.

This one is simple and everyone know’s it’s happening already. The world’s small businesses, hospitals, schools, and local governments are starved for cybersecurity talent, and there aren’t nearly enough people to fill the roles.

70% of cybersecurity professionals claim that their organization is impacted by the cybersecurity skills shortage.

ESG and ISSA

I think we need a national program to address this.

This gap between need and skilled people is even more acute due to the rise of the ransomware threat, and the world is going to have to respond with more people who can at least do the basics, even if that’s through short certification programs.

2. Cyberinsurance Will Ascend

Jeremiah Grossman and I have been talking about the rise of cybersecurity insurance for years now. I wrote my first big piece on it in August of 2015, and I still think it’s the future.

In short, it’s not smart to bet against insurance. It’s an industry that worships data because their profits depend on it, and that’s why they’ll be the first to be able to tell us what works and what doesn’t work in security.

Not only will that result in industry expertise—and eventually actuarial data—but they’ll be massively assisted by ever-improving AI that will be able to smell hackable organizations the way it detects ideal customers today.

Insurance companies will perform massive, centralized data aggregation exercises as part of their setup process for customers, and they’ll use that as input into their algorithms that determine risk of breach payout.

3. Automation (powered by AI)

Nobody knows when this crossover will happen, but I think it’ll be between 10 and 15 years.

At some point, there will be a crossover between the increased demand for trained cybersecurity people and the rising efficiency of security technologies and security automation—assisted by more artificial intelligence.

New IT platforms will require less configuration, have more security built in, will include continuous asset management, as well as continuous configuration monitoring. And when something goes wrong, many of the issues will be fixed automatically or with minimal need for human interaction.

Think cloud security products, plus 15-years of advances.

In short, better platforms, with better security controls, all monitored and managed with automation and AI. There will still be a need for people to run these systems, but it’ll be fewer people who are specialists in the large, all-in-one platforms like AWS, Azure, or whatever is on top then.

4. Dueling Algorithms

The final stage of this is both tangible but also sci-fi, and essentially comes down to competing infrastructure that does:

Continuous Inventory
Continuous Security Monitoring
Automated Changes When Issues Are Found
Notifications to Humans When Automation Won’t Work (Prioritized Curation)

This model is also relevant for large enterprises.

The best example of the need for this is national level security intelligence, reconnaisance, and vulnerability assessment.

Every country will have massive collections of internet and internal-facing systems that are continuously scanning and monitoring everything it owns. It will then be using AI to rate the risk level of everything it touches, and if it finds something dangerous it will be able to either 1) remediate it immediately, or 2) notify a human team for investigation and follow-up.

Countries that maintain offensive cyber-capabilities will have this same type of infrastructure running against all their adversaries, and it’ll be doing the same thing in reverse. It’ll be constantly discovering their attack surface, indexing it, and observing it for weaknesses—all using AI.

Issues that are discovered will either be auto-exploited if possible and/or if the issue is time-sensitive, or the discovery will be prioritized and sent to a human team for additional scrutiny.

The future will be all about the best crawlers paired with the best AI.

So the cyber battleground will become a set of collosal discovery/monitoring infrastructures, which are working as close to realtime as possible, all being fed into AI that never sleeps. And that infrastructure will be fed into elite teams of humans ready to work on whatever the AI finds.

And this is for both attack and defense.

So the more thorough your automation, the faster it runs, the better the algorithms you have for detecting weaknesses and exploiting them using automation, and the better your human support teams—the better off that entity will be.

That’s the distant future of InfoSec, with humans playing less and less a part in the equation as time goes on.

Here’s my talk on this topic at DEFCON in 2020.

And this isn’t fantasy. I participate in the OSINT/Bounty/Recon scene and many of us in the field have been working on this stuff for years already, minus the AI which is still a bit early. But the idea of continuously monitoring—and even taking automatic action upon things that are discovered—is already happening in the infosec community, so you know it’s happening at the state level as well.

Ok, fine, but what do I do to get ready?

Well it depends who you are. If you’re a small to medium-sized company, find someone or some product that can get this type of infrastructure going for you.

If you’re an individual practitioner, become an expert in these types of infrastructure. If you want to ride the human work wave in InfoSec as long as possible, learn the big platforms like AWS, Azure, etc., with a focus in securing them.

And make sure you are good with data, which really means knowing how to code and use APIs. I recommend strong Linux and Python skills, with Go as a nice to have.

Summary


I think there are four big trends for the future of infosec
A Surge in Demand, The Rise of Cyberinsurance, The Rise of Automation, and Dueling Algorithms
To survive as a human for as long as possible, become an expert in the big unified platforms
Know how to get data in and out of APIs


Notes


Keep in mind that trend #1 will be counterbalanced by the growth of people who need basic information security help. The question is when those two trends cross over.
Image from information-age.com.
If you want maxiumum safety, learn some data science and lift your data game even higher.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I think there are four main trends that will play out in the field of information security in the next 20 years.

(2021-2030) A Surge in Demand for InfoSec people will result in many more professionals being trained and placed within companies, likely using more of a trade/certification model than a 4-year university model.
(2026-) Cyberinsurance will ascend as the primary mechanism for making cybersecurity-related product and service decisions within companies.
(2030-) Automation & AI will start to result in fewer jobs filled by high-skill people as opposed to many jobs filled by lower-skilled workers.
(2035-) Dueling Algorithms will become the main way that top-tier, large organizations both attack and defend.

Let’s look at each of these in more detail.

1. A Surge in Demand

(ISC)2 says there were over 4 million too few cybersecurity people in 2019.

This one is simple and everyone know’s it’s happening already. The world’s small businesses, hospitals, schools, and local governments are starved for cybersecurity talent, and there aren’t nearly enough people to fill the roles.

70% of cybersecurity professionals claim that their organization is impacted by the cybersecurity skills shortage.

ESG and ISSA

I think we need a national program to address this.

This gap between need and skilled people is even more acute due to the rise of the ransomware threat, and the world is going to have to respond with more people who can at least do the basics, even if that’s through short certification programs.

2. Cyberinsurance Will Ascend

Jeremiah Grossman and I have been talking about the rise of cybersecurity insurance for years now. I wrote my first big piece on it in August of 2015, and I still think it’s the future.

In short, it’s not smart to bet against insurance. It’s an industry that worships data because their profits depend on it, and that’s why they’ll be the first to be able to tell us what works and what doesn’t work in security.

Not only will that result in industry expertise—and eventually actuarial data—but they’ll be massively assisted by ever-improving AI that will be able to smell hackable organizations the way it detects ideal customers today.

Insurance companies will perform massive, centralized data aggregation exercises as part of their setup process for customers, and they’ll use that as input into their algorithms that determine risk of breach payout.

3. Automation (powered by AI)

Nobody knows when this crossover will happen, but I think it’ll be between 10 and 15 years.

At some point, there will be a crossover between the increased demand for trained cybersecurity people and the rising efficiency of security technologies and security automation—assisted by more artificial intelligence.

New IT platforms will require less configuration, have more security built in, will include continuous asset management, as well as continuous configuration monitoring. And when something goes wrong, many of the issues will be fixed automatically or with minimal need for human interaction.

Think cloud security products, plus 15-years of advances.

In short, better platforms, with better security controls, all monitored and managed with automation and AI. There will still be a need for people to run these systems, but it’ll be fewer people who are specialists in the large, all-in-one platforms like AWS, Azure, or whatever is on top then.

4. Dueling Algorithms

The final stage of this is both tangible but also sci-fi, and essentially comes down to competing infrastructure that does:

Continuous Inventory
Continuous Security Monitoring
Automated Changes When Issues Are Found
Notifications to Humans When Automation Won’t Work (Prioritized Curation)

This model is also relevant for large enterprises.

The best example of the need for this is national level security intelligence, reconnaisance, and vulnerability assessment.

Every country will have massive collections of internet and internal-facing systems that are continuously scanning and monitoring everything it owns. It will then be using AI to rate the risk level of everything it touches, and if it finds something dangerous it will be able to either 1) remediate it immediately, or 2) notify a human team for investigation and follow-up.

Countries that maintain offensive cyber-capabilities will have this same type of infrastructure running against all their adversaries, and it’ll be doing the same thing in reverse. It’ll be constantly discovering their attack surface, indexing it, and observing it for weaknesses—all using AI.

Issues that are discovered will either be auto-exploited if possible and/or if the issue is time-sensitive, or the discovery will be prioritized and sent to a human team for additional scrutiny.

The future will be all about the best crawlers paired with the best AI.

So the cyber battleground will become a set of collosal discovery/monitoring infrastructures, which are working as close to realtime as possible, all being fed into AI that never sleeps. And that infrastructure will be fed into elite teams of humans ready to work on whatever the AI finds.

And this is for both attack and defense.

So the more thorough your automation, the faster it runs, the better the algorithms you have for detecting weaknesses and exploiting them using automation, and the better your human support teams—the better off that entity will be.

That’s the distant future of InfoSec, with humans playing less and less a part in the equation as time goes on.

Here’s my talk on this topic at DEFCON in 2020.

And this isn’t fantasy. I participate in the OSINT/Bounty/Recon scene and many of us in the field have been working on this stuff for years already, minus the AI which is still a bit early. But the idea of continuously monitoring—and even taking automatic action upon things that are discovered—is already happening in the infosec community, so you know it’s happening at the state level as well.

Ok, fine, but what do I do to get ready?

Well it depends who you are. If you’re a small to medium-sized company, find someone or some product that can get this type of infrastructure going for you.

If you’re an individual practitioner, become an expert in these types of infrastructure. If you want to ride the human work wave in InfoSec as long as possible, learn the big platforms like AWS, Azure, etc., with a focus in securing them.

And make sure you are good with data, which really means knowing how to code and use APIs. I recommend strong Linux and Python skills, with Go as a nice to have.

Summary


I think there are four big trends for the future of infosec
A Surge in Demand, The Rise of Cyberinsurance, The Rise of Automation, and Dueling Algorithms
To survive as a human for as long as possible, become an expert in the big unified platforms
Know how to get data in and out of APIs


Notes


Keep in mind that trend #1 will be counterbalanced by the growth of people who need basic information security help. The question is when those two trends cross over.
Image from information-age.com.
If you want maxiumum safety, learn some data science and lift your data game even higher.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Regardless of who wins the presidency in 2020 there will be an incandescent conversation around polling. In short, how did they get it so wrong?

The graph above shows some top polls for Florida on November 2nd. Now compare that to how the state actually went.

Trump’s results in Florida from the New York Times

That’s an extraordinary miss of up to 12 percentage points in some polls, swinging from Biden +9 to Trump’s +3.

Nate Silver seems to have turned into Nate Copper.

But there’s a remarkably simple lesson in this that at least one pollster had already locked onto.

Don’t ask people their opinions directly.

Robert Cahaly is basically the new Nate Silver. He runs the Trafalgar Group poll, and he’s been using indirect techniques to run polls for a long time. Here’s what he had for Florida in October:

Trafalgar polling for Florida in October of 2020

He still didn’t get every state right, though.

He had Trump up a bit over 2% in Florida, which is very close to where it’ll likely land after everything is settled. And it wasn’t just Florida—he outperformed the other polls across the spread.

@SteveDoocy @kilmeade @ainsleyearhardt not all the pollsters were wrong. Our @trafalgar_group #polls were solid pic.twitter.com/lFgD45VOkQ

— Robert C. Cahaly (@RobertCahaly) November 4, 2020

I highly recommend this book.

The technique he uses is something I just read about in a book called Everybody Lies, written by a data ex-Google data scientist. It’s about how asking people their opinion is one of the worst ways to find out what they’re thinking.

One technique he talks about is looking at Google Search data to see what people really think about things. Why? Because Google searches are private, and that’s what makes them honest.

Cahaly no longer shares his questions.

Trafalgar uses a similar approach to polling in that he doesn’t trust anything asked or answered directly. One of his early techniques used something like the Google Search data trick. Instead of asking:

Would you feel uncomfortable if a minority family moved into your neighborhood?

(which is likely to trigger all sorts of self-analysis and face-saving)

…they instead asked something like:

Would most people who live near you feel uncomfortable if a minority family moved into your neighborhood?

In other words, it’s not just lying to the pollster we have to worry about here; it’s also people lying to themselves. Cahaly talks in interviews about people not wanting to appear a certain way to the pollster, and that type of self-awareness seems likely to produce noise in the poll data.

I’m not sure who’s going to win yet, but I can tell you that Nate Sliver has lost.

Taleb was right. You can’t over-rely on polls and models when 2020 human psychology is a turbulent mess of Black Swans.

Even if Biden wins, the models were deeply flawed.

— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) November 4, 2020

The second version of this question allows people to speak freely about opinions they’re likely to share, but under the protection of, ‘People I know are likely to feel this way…’

The takeaway

Starting with a polling industry blood bath.

My expectation is that we’re about to see a revolution in polling that moves the industry away from Nate Silver’s approach—it turns out the aggregation of bullshit just results in a larger pile of bullshit—and towards Trafalgar and the concepts in Everybody Lies.

In a word, proxies.

Pollsters are about to start searching for ways to measure people’s opinions without asking them directly. Because yeah…that clearly doesn’t work.

Notes


I think the “Shy Trump Voter” is an element of this, but it’s a subclass of the Everybody Lies phenomenon. People might be proud of supporting Trump and just not want to share it out of self-preservation, but some subset might not even know how much they support him until they get ready to vote. And in both cases direct polling will fail.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I spend my time reading 3-6 books a month on security, technology, and society—and thinking about what might be coming next. Every Monday I send out a list of the best content I’ve found in the last week to around 40,000 people. It’ll save you tons of time.

MY ESSAYS



How to Write Well — What I’ve learned in over two decades of writing online. More



The Future of Sensors, Algorithms, and Recommendations — How algorithms will continuously monitor everything in our lives. More



I Actually Like Remote and Pre-Recorded Presentations — Are you missing conference content or the conference scene? More



Substack is Great For Newsletters, But Not For New Creators — Don’t build your entire brand on new tools that only do one thing. More



SECURITY NEWS



The US government is continuing its trend of releasing state-sponsored malware it finds—this time releasing 8 samples developed and deployed by Russian hackers. Six were for the Turla hacking group, and two others were being used by APT28. More



Zoom has rolled out end-to-end encryption. More



An Australian newspaper has discovered a Chinese government database containing more than 2 million scientists around the world. The Overseas Key Individuals Database (OKIDB) includes many thousands of nuclear and other strategic industry experts, their personal information, and even where their relatives live. I’ve written about China doing this in the past. More



CoreView Research says 78% of Microsoft 365 admins, and 97% of all Microsoft 365 users, don’t use multi-factor auth. Yikes. More



Vulnerabilities: 

WordPress has patched 10 security bugs as part of their recent 5.5.2 release. More

Companies:

Eagle Eye is bringing video surveillance to the cloud, and just raised a $40 million Series E. More

TECHNOLOGY NEWS



Cloud infrastructure revenue grew by 33% last quarter, reaching nearly $33 billion. More



Flippy robots will cook burgers in 10 more White Castle locations. This is a great example of where the door to automation was opened by COVID. They tried one robot because of social distancing, but now it’s worked so well they’re getting 10 more. This is pee that won’t get taken out of the pool when the pandemic is under control. Once the jobs go to cheaper robots that don’t show up late to work, get sick, and cause HR violations—the trend will only flow in one direction. More



Google Play Music has been shutdown. But don’t worry, I’m sure they have 13 other music apps you don’t know about that will also soon be removed. Google Meet Music Wave? More The Google Graveyard 



There’s a new, super-white paint that can reduce cooling bills and even cool the planet. If it’s used enough. More



Companies:

Eagle Eye is bringing video surveillance to the cloud, and just raised a $40 million Series E. More
Shotcall is a new company that lets fans play with their favorite streamers. More

HUMAN  NEWS



Researchers appear to have found a way to detect asymptomatic COVID patients by using AI to listen to how they cough. More



Netflix is raising prices again. The “Premium” plan (4k and 4 simultaneous streams) will go from $15.99 a month to $17.99. The “Standard” plan (1080p and 2 simultaneous streams) will go from $12.99 a month to $13.99. The “Basic” plan (SD and 1 stream at a time) will stay at $8.99.



Researchers have found a key brain mechanic in mice that handles motivation to learn. They can increase or decrease activity in strisomes to increase or lower engagement in a task. More



Companies:

Flash Forest is a Canadian company that uses drones to plant trees. They can plant 40,000 trees in a month. More

IDEAS, TRENDS, & ANALYSIS



Nicholas Christakis (MD, PhD, MPH) was just on Sam Harris’ podcast, and he predicts 2021 will be much like 2020 for the pandemic, with the vaccine arriving in late 2021. He thinks 2022 will be the year of widespread vaccine distribution and the turning of the corner, with things returning to something like normal in 2024. I really liked his analysis of how this will all play out. Podcast Episode



Laura Rosenberger, appearing on the Lawfare Podcast, had some great points about election security. She said that the risk of actual election hacking seems to be low, or at least lower, than in 2016, but the real risk of mis/disinformation from actors like Russia might not fully pick up until after the election. She made the point that reducing confidence in democracy overall is the primary goal, and that this can be done by attacking the election after it’s over just as well. She also pointed out that in 2016 the primary goal was still to attack Democracy, and hurting Clinton and helping Trump were secondary. 



Cloudflare’s COO says the future of cybersecurity is going to be a lot like water treatment, where you have known-bad inputs being treated by multiple layers of filtering until it’s safe to drink. More



Americans are spending 2-3 months a year on their phones. More



68% of Americans say they know someone with COVID. More



UPDATES



Should be a fairly slow week, but I think there’s some kind of an election going on.



Reading:

I just finished, Wintersteel, the 8th book in the Cradle series (LitRPG), and it was a lot of fun
I’m currently reading The Upswing for the UL Book Club
I added The Life of Samuel Johnson to my queue based on a recommendation
Nudge was really good, which we read for UL Book Club last month
I’m really looking forward to How to Read and Why
I’m nearly done with Democracy in America, by Alexis de Tocqueville

DISCOVERY  



CrowdSec — A Go-based, modern replacement for Fail2ban. Download My Tutorial My Metrics 



Thinkst Canary — Near-zero false-positive attacker detection, especially great when your logging/monitoring game isn’t where you want it. More



Ninja — A simple way to do builds. More



How journalists use YouTube-DL More



Someone just subscribed to 50+ newsletters, and they give their analysis of what makes a good one. More



RECOMMENDATIONS



How to Read and Why — A new book on reading that I can’t wait to get to. More



APHORISMS



“To avoid criticism, do nothing, say nothing, be nothing.”



~ Elbert Hubbard

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Maybe the problems the US and Europe are having with COVID, compared to the East, can be reduced to individualism vs. collectivism.

Many people ask why the West is so innovative, i.e., why we seem to have done so much of the invention in the last couple of centuries.

Maybe that’s because innovation is a byproduct of greed, which is tightly coupled with individualism.

China, Japan, and South Korea are all handling COVID much better than the United States and Europe, and many have pointed out that this could be because it’s far more accepted there that society is more important than individuals. So when a curfew is released, people tend to listen.

So maybe the countries with the biggest stock markets will have the worst responses to pandemics.

This Individualism vs. Collectivism concept—framed as “we” vs. “I” is a central theme in Robert Putman’s new book, The Upswing, which I’m reading now.

Highly recommended if this contrast is interesting to you.

Notes


China is the exception to this in many ways since they’re purposely trying to harness the advantages of both systems.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.