Daniel Miessler's Blog, page 60

I’ve been saying for a few months now that I think Trump will win again.

I’ve become less convinced of that as he got COVID and proceeded to unravel in front of the planet, but with one day to go I think his chances are high again.

To me it comes down to one idea backed by two statistics:

IDEA: Mathematical models are based on assumptions, and it’s hard to get the assumptions right in 2020. Or, put differently, people are unpredictable. And this is even more true right now in the middle of a Black Swan event.

STATISTICS: And then there are these two statistics that give me further indication that the polling showing Biden way ahead is wrong.

56% of Americans say they’re better off today than four years ago. And this was a poll done in September, not March. More
62% of Americans say they don’t feel comfortable talking about their political beliefs. More

Not only do 62% say they don’t want to share their beliefs, but the numbers are heavily skewed towards conservatives being the ones that are afraid. It’s the liberals that feel comfortable sharing their beliefs!

I’m not a polling expert the way Nate Silver is, and I can only hope he has this type of data incorporated in his model, but I have to admit that I doubt it.

Talking with my liberal friends I feel the exact same disconnection with mainstream America as we saw in 2016. I feel hubris. I feel overconfidence.

And when I see that most people think they’re better off than four years ago, and most conservatives are afraid to share their opinions, it tells me that the polling data is likely to skewed left. Maybe more than in 2016.

Again, I could be wrong. Maybe Biden really will win in a landslide.

But my Spidey Sense tells me no.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

One of the easiest technological trends to predict in the coming decades is the improvement and penetration of sensors and algorithms.

In short—more sensors, in more places, gathering more data, which are fed to better and better algorithms.

Those algorithms will work together and be fed into a universal interface in both consumer and business environments, and that interface will arrive at conclusions and then make recommendations. This technology trend is universal because it aligns with a human universal, i.e., the desire to improve our lot.

When we’re at home, the combination of sensors throughout our house will include microphones, cameras, radio signals, air-quality, chemical detection in the sinks and toilets, etc.

These will obviously start basic and get more advanced.

All combined, these sensors will be able to tell us if we’re hungry, tired, happy, sick, angry, depressed, and a thousand other emotions and moods—all in realtime.

That’s what the system will know—because all the sensors will report into a centralized system, likely put out by a single company. Amazon will definitely be a player in the space.

So let’s say you have the AmazonLife™ bundle, which includes up to 72 sensors of 9 different types that are part of your household. Sheets, curtains, toilets, clocks, speakers, ovens, toasters, displays, furniture. They’re all smart-sensored-up using Amazon technology.

Now Alexa knows what’s going on with your whole family.

Your daughter is struggling with her remote studying during COVID-27, and she’s been frowning a lot, shutting doors a bit too hard, sulking, her heart rate is lower, and her diet has been erratic.

You get all of this in a summary from Alexa whenever you ask, because you’re her parent.

And if you ask for recommendations, Alexa can send your data to your designated mental health service to get advice, or you can send the anonymized data to multiple services and have Alexa give you the summary of 379 different opinions on how to help her.

But your 7-year-old son looks to be sick, based on his temperature, breathing rate, heartrate, and the content of his stool.

Alexa told you that as well, since she can see the content from all 71 sensors throughout the house.

Hi Sarah, just to let you know, it appears that Micah is coming down with a virus. The symptoms are consistent with a common cold, but I can’t say for sure without more testing. Would you like me to gather more data?

Alexa could also have the data from the whole family’s mobile devices, which are doing their own sensing. So what they ate while they were out, how much they talked to friends, where they went. Their tone of voice. Their heart rate. What they ate. How much exercise they got, of what type.

MIT can already detect emotion using radio waves.

All that is then combined into various scores for healthiness, fitness, happiness, etc.

As a parent you will have access to your AmazonLife™ Dashboard, on your mobile device or on your house wall, or wherever.

There you can see your whole family. Their health. Their fitness. Any anomalies. And recommendations from Alexa on how to improve things.

Your financial targets aren’t being met? She’ll offer you some investment opportunities. Or to use one vendor instead of another for your lunch meat. Christen isn’t doing as well in Mandarin this month? Here, we found him 19 different tutors and picked the best one.

Would you like to sign him up to meet with Jiang tomorrow to start tutoring? I can add it to the calendar.

If you’re thinking you’d never allow this level of intrusion into your life, that’s because you’re old. And when I say old I mean you’re over 7.

This won’t all land at once, and when it comes in increments it won’t feel like Gattaca; it’ll feel like magic. And it will be.

People want to have their lives curated for them, and they’re willing to give up most anything to have an “optimized experience”. Especially parents. All these things will equate—at least on paper—to advantages for their children. And as it turns out—that’s kind of the most important game in life.

Expect it.

With exceptions for certain types of privacy, obviously.

We’ll have something like Alexa, which is watching 24/7, using as many sensors as possible, that can see as much as possible, so they can infer as much as possible, and then recommend the best possible course of action.

The endgame for this, which the rich will have sooner and better than everyone else, will equate to a constant team of 1,000 experts fanned out across the globe and within 100 meters of your location.

These AI sensors, drones, and algorithms will be monitoring your surroundings, your loved ones, who’s walking behind you, who’s near your home, who’s looking at your latest poem, etc…and then alerting you if anything happens out of the ordinary—based on your preferences.

Take the next left up here. The next block isn’t that safe right now.

(you take the next left)

Sorry to bother you, but Jaden just fell and scraped her elbow. No big deal. She’s being treated right now. There’s no major damage. Shall I put her on video for you?

This is inevitable tech. Not because of the tech itself, but because of us. We as humans long for this power due to the evolutionary advantage (real or perceived) it grants to the owner.

So we will build it.

Maybe you see this already. If you do, congratulations.

If you don’t, maybe you will once you see the first “depression sensor” that’s enabled by the smart microphones in your house. Or the “mood enhancer” that subtly changes the lighting in the house to improve your mood when Alexa detects you’re sad.

It will start small, but the tech is moving so fast it won’t be long before companies like Amazon start bundling these things into packages for overall life improvement.

I’m excited and terrified for this future, and I know it’s coming.

Notes


I wrote about this extensively in my book, The Real Internet of Things. More

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I have an unpopular opinion about the security conference scene. Basically, it’s the opposite of what John Strand said here:

Can we all agree that pre-recorded Conference talks are horrible? I mean… Why?

— strandjs (@strandjs) October 28, 2020

I see this sentiment a lot from a lot of people in infosec, and I think I’ve figured it out. I think people who love presenting live are actually in love with presenting as much or more than what they’re presenting.

It’s about people, and personalities, and the thrill of being a public figure. The ideas and content matter of course, but it’s secondary to the crowd and the interaction between them and the performer.

That’s not shade because I also enjoy giving and attending live presentations. There’s something about it that’s just…well, kind of like live music compared to listening to studio recordings at home in headphones.

It’s absolutely different. 100%. But unlike John, I don’t see the studio version of presentations as inferior to the live versions.

It's easier for speakers. Very rarely do I get engagement until q&a end-segments at talks. So unless people are referencing the "feeling" of being live… I disagree. I can record comfortably, edit out bad segments, plan around my schedule, and focus more on quality content.

— Jason Haddix (@Jhaddix) October 28, 2020

But I’d rather go to a live conference than a remote one, because people.

I actually prefer both giving and watching pre-recorded talks. To Jason’s point above, they allow me to be my best self, which doesn’t always come out on stage. Sometimes it does, and that’s a great experience for both me and the audience. But sometimes it doesn’t, and that sucks in equal measures.

I think it comes down to what you most enjoy about talks. If you’re there for the feel of the crowd and the rock concert vibe, then pre-recorded talks are going to be horrible. I get that.

Hi DEFCON. We love and miss you.

Pre-recorded talks are like studio music recordings.

But if you’re there for the ideas primarily then it’s nice to not have all the drama of broken mics, not being able to see the slides, and of course—worst of all—not being able to even get in the room to see the talk.

Live vs. recorded music really is a useful analog here. The argument for live music is that it’s more of an experience. It’s more engaging. It’s deeper at an emotional level. And if I think about my own concert experiences I completely agree.

But there’s a problem with this analogy. Music doesn’t have the same purpose as a presentation.

I’m not going to a talk to get caught up in the moment, to lose myself, or to laugh and cry. I’m not primarily there for an experience. I’m there to hear about new content. I’m there for new ideas.

I want the idea to be the centerpiece, not a performance or my emotional reaction to that performance.

I think a massive amount of the infosec conference scene is people in Live Music Mode. It’s about the concert. It’s about the people. And it’s about the rock star.

I’m about it. I love in-person conferences for this reason too. But I enjoy that most in LobbyCon, and the dinners, and the events we do together away from the conference—not so much in the talk itself.

Seeing talks in person are like hearing live music.

That’s why I think I have really enjoyed the forced transition to remote presenting, and even to pre-recorded sessions. They allow people to present their ideas in the cleanest possible way, with minimal distractions from the idea itself.

Ultimately I think people who hate remote or pre-recorded talks have to ask themselves what they’re really mad about. What are they missing?

Do they feel like they’re not getting the idea from the content itself, or are they really just missing the conference scene of people, personalities, and performances?

It’s ok if it’s the latter. I’m right there with you. But I think we should be honest with this distinction between the content and the experience.

Notes


One other problem with pre-recorded content is that it removes the feeling of ephemeral specialness, although that gets diminished in any live talk that gets recorded. This reminds me of paying to go to Harvard and then finding out that your professors have all published this year’s entire set of lectures for free on YouTube. It removes the exclusivity of being one of the special group in the class, or the talk as it were. But you know what? I’m ok with that. Ideas should be more widely distributed, both in elite education and in conference settings.
Music lovers will tell you that some bands are better live than in the studio. I think the same probably goes for presenters. I think some people excel at creating content where people come away thinking, “Wow, that was a cool idea!”, and others are great at creating content where people come away thinking, “Wow, that presenter was great!” It’s not binary. It’s a hybrid, and everyone is doing both, but I think people generally float towards one end or the other. As a (usually) introvert I definitely float towards the idea side of the spectrum.
Let me also just openly admit that I have a much lower “great” live talk performance percentage than people like Dave Kennedy or Troy Hunt. They always land 9’s and 10’s when they speak. I have had a number of 8’s, but I’ve also had my share of 3’s and 4s. And I absolutely admit that if I were more consistently great in person then my calculus might be different. I don’t think my position would change on this point; I would simply side more with the Live Music effect. But I can’t say for sure.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I started writing online in 1999, and I get asked a lot about how I became decent at it. The short answer is lots and lots of bad writing, but the better answer is that I learned to follow some basic rules.

I am going to share those rules with you now.

1. Organize your thoughts using an outline

I use outlines for presentations as well.

Good writing requires clear thinking.

When I set out to write or explain something, I capture everything I want to say into a structure. This is the outline I used for this piece.

Intro

Outline/Clear Thinking

Be Direct

Sentence Flow

Summary

Rewrite your outline until it makes sense as a sentence.

I then imagine that outline as a sentence that helps me crystalize what I want to say.

What I learned over two decades of writing is that you need to think clearly, write plainly, and alternate between short and long sentences for maximum effect.

This whole essay could be summarized as that one statement, and the fact that I clarified that in my mind before I started writing helps the essay flow. It’s the reason I know exactly where I’m going.

Readers can tell if they’re being lead somewhere with confidence.

There’s no way to hide disorganization with good writing. If you’re making it up as you go along, your reader will know.

Know what you want to say before you start.

In order to write well, you must first learn to think well.

2. Write in a conversational tone

Language is like running code on the reader’s mind.

To avoid peoples’ mental garbage filters, you should write like you speak.

The first sentence of this essay is:

I started writing online in 1999, and I get asked a lot about how I became decent at it.

That’s something a human would say to another human. Imagine if I had started with this instead:

Writing is one of the most important life skills you’ll ever develop.

That might be true, but normal people don’t talk that way. Sentences like this are the writing equivalent of Jazz Hands. It tells the reader to expect bullshit, and they tune out.

Obfuscation implies deception.

Embellishing is one of the primary tells that someone is lying.

Natural writing conveys honesty and soaks deeper into the reader because only honest people can afford to be plain.

3. Be direct and concise

Eliminate unnecessary words, avoid adjectives as much as possible, and just plainly say what you want to say.

Don’t write, “He was very happy” when you can write “He was happy.” You think the word “very” adds something. It doesn’t.

Scott Adams

Following this advice is really difficult. Just assume you’ll fail and plan to edit each sentence multiple times until you reach maximum potency.

4. Alternate between complex and simple sentences

Christopher Hitchens is the master of this.

It’s true that crisp sentences have the most power per character, but you get maximum impact by alternating between the complex and the simple. This is an art, but there’s also a shortcut.

Alternate between long and short sentences.

Here’s a brilliant example.

A good argument in five sentences will sway more people than a brilliant argument in a hundred sentences. Don’t fight it.

Scott Adams

“Don’t fight it” lands so well because the previous sentence was longer. It’s the contrast that makes it click.

The alternation is not one-for-one; you have to adjust for readability.

Summary


Clear writing is only possible with clear thinking, so start with an outline.
Fancy language communicates deception, so write like you’re talking to someone.
Wandering sentences lose the reader, so be clear and direct.
Flow creates impact, so alternate between short and long sentences.

And finally, if this list had a #5 it would be to spend a lot of time practicing.

Writing is the best only way to get good at writing.

I’ll see you out there.

Notes


This guide is clearly focused on normal, “online” writing, such as for essays or a blog. Business, academic, and other types of writing might have different requirements, but I’d argue they could also benefit from a more direct and conversational tone.
There’s an interesting tradeoff between conversational writing and being concise. Sometimes you might want to say something is really, really funny—because that’s what you’d say in real life. Even if it uses extra words.
I am often asked how I’m able to organize my thoughts when I answer questions, and I always give the same answer: it’s because I spend a lot of time writing. This habit of organizing what you want to say is invaluable as a thinker. It forces you to actually have a destination before you start driving.
The post that changed my writing the most was by Scott Adams of Dilbert fame, called, The Day You Became a Better Writer. It’s probably still my favorite, including this piece of mine you just read. The advantage mine has is that it’s a methodology rather than just advice. I’d been admiring his writing for a long time before he wrote that post (a habit I’ve stopped since he became an unhinged Libertarian), but it was that piece that crystalized what I enjoyed about his prose. More
The Hacker’s Reason for Avoiding Clichés is an essay I wrote on why you should avoid common phrases. More
Writing with complex language is often a way to hide a lack of ideas in the content. You see this a lot in academic writing, where they spend nine pages of tiny font to convey three sentences.
Small fonts are an interesting trick used by people and institutions trying to maximize their status in the reader’s mind. Basically, the harder it is to get the message, the more the reader thinks of the content. Academic journals and many bloggers abuse this psychological fact by saying very little in a font that’s barely legible. Wow! I had to squint to read this! They must be super smart!

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

You’ve reached a piece of member-only content.

Subscribe

If you’re already a subscriber, please login here.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Substack just announced that they’re doing custom domains now, and that’s great. But I think this is a bit of a trap—especially for new creators.

I’m sure they’re working on expanding.

The problem is that Substack is really, really good at newsletters—but not much else.

New creators should be thinking long-term about their platform, starting with their domain and where it’s hosted. To that end, I recommend people use something like WordPress or Ghost as their primary platform because they offer maximum future-proofing.

There’s no guarantee that hot new services like Substack will be around in 2-5 years.

These platforms are blogging platforms first, with other stuff bolted on, and they’re made to last as a permanent home for someone’s platform and brand.

Substack is brand new, and it’s focused purely on newsletters right now. And as slick as it is—and it’s very slick—there’s no guarantee that it’ll survive.

My recommendation

You want to keep your options open as a creator.

If you’re a new creator planning on doing writing, video, newsletters, etc, and you’re not exactly sure what your mix will be in the future—I don’t recommend you start with Substack, even though they can host your domain.

I recommend you get some WordPress hosting from somewhere, or sign up with Ghost, and then maybe use Substack for your newsletter.

Lock-in becomes a worse problem as you grow.

Ultimately, using Substack—or any other third party—as your main domain means you’re locked into that provider’s features. And you want that feature set to be as broad as possible.

Surviving as a creator requires maximum flexibility.

So, congrats to Substack. Great stuff.

But creators should keep their main domains and platforms as agnostic and untethered as possible to avoid lock-in and migration problems in the future.

Notes


To this point, self-hosted WordPress is probably your best bet right now because another thing you want to defend against is being de-platformed for your beliefs. Today that’s largely just happening to extreme-right-types, but who knows where future winds will blow. Try to make your entire platform stack as resilient as possible to this as well.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

VPNs are more popular than ever, but I think many are confused about why they’re running them.

There’s a concept in security called Threat Modeling, where you figure out what you’re worried about—specifically—and then you look at how your defenses match up against those attacks.

This is something that VPN users need to do.

The most common things VPN users are interested in—or worried about—are:

For #1 it’s usually porn.

Their ISP Looking at Their Traffic: Most people use VPNs to hide their traffic from someone, which mostly applies to their ISP. Not enough people realize the traffic that leaves the VPN server travels normally, so you have to ask yourself who you’re really hiding from.
Being Able to Access Country-Specific Content: This is for people who want to avoid IP/Country-based restrictions to content, like only being able to order a product from the UK if you’re in the US, or watch streaming content that’s restricted to a particular country.
Hiding From the Government: A lot of VPN users think that using a VPN makes their traffic invisible. Like nobody can ever see it ever. And this just isn’t true. The site you’re visiting can see that traffic (obviously), and all the locations your traffic moves through can potentially provide logs to the authorities if they were asked.

This is where most people’s use of VPNs tends to break down.

If you’re just using a VPN so you can look like you’re coming from multiple countries, fine. You can use almost anything in that case, and the only thing you might care about is performance (for streaming quality, etc.).

If you’re trying to hide your online from someone, however, you have to ask who that someone is. Are you trying to hide from someone who has access to your computer? Well the VPN won’t help with that. Are you trying to hide from someone who has access to your ISP and its logs? In that case you can use most VPNs.

It’s hard to build good defenses without knowing who you’re defending against.

But if you’re trying to hide from the government, because you’re a journalist worried about free speech, or you’re someone investigating the government or something, well, then you need to worry about another threat: governments having access to your VPN provider.

Let’s say you’re using some overseas VPN provider to hide your traffic from your own government, for whatever reason. Do you really know what security that VPN provider has? Do you know all the laws for the country in which they operate? Do you know their relationship with your government, e.g., EU, US, China, Australia?

Probably not.

There have been many situations where we find out later that some famous VPN provider has been infiltrated by one or more governments for months or years, with access to logs. That means they potentially know usernames, origin IP addresses, traffic patterns, etc. And that could include your traffic.

Do you really want to share VPN infrastructure with a bunch of people trying to hide from others?

VPNs aren’t just used by people trying to watch Netflix; they’re also used by criminals, and that means they’re a prime target for governments. And if you’re the one doing something sensitive then you might be the one the government targets at your VPN provider. What will that provider do when the government of Country X walks through the door with a warrant?

They’ll probably hand over whatever they have on you.

A better VPN option

This is why it’s better to just run your own VPN service.

Remember, we’re trying to:

Hide your traffic from your ISP (because they should mind their own business)
Get around Country/Region restrictions (because foreign content is better sometimes)
Avoid governments accessing your VPN provider’s logs (because that’s creepy)

The only solution that accounts for all three Threat Scenarios is you running your own.

Trail of Bits just created a method of easily deploying Wireguard.

Luckily this is pretty easy using Algo, which is a tool put out by Trail of Bits—a small but well-known and trusted security shop.

If you’re sophisticated enough to use a VPN this isn’t that much more complex. In fact, you are just changing the setup step from setting up an account with a VPN provider to setting up an account with a VPS provider, such as Amazon, or Digital Ocean, etc.

These are generic providers of servers, and what you’re doing is enabling them to build a custom, secure VPN server for you that only you have access to. It’s a dedicated VPN infrastructure.

Once you have that set up, you just run through a setup wizard and it builds everything for you. Then you put your credentials into your VPN client and you’re done!

It’s hard to ask for logs that don’t exist anymore.

The coolest thing about this is that you can then go in and destroy that VPN box whenever you want—like every month, or every week, or after every use if you were that paranoid.

It’s going to be infinitely harder for a foreign government to come after some random IP address on Digital Ocean, for example, than just going to a known VPN provider.

And if the box is already destroyed when they do come to Digital Ocean or whatever VPS provider you’re using, there’s not too much they’ll be able to do.

Summary


Threat Modeling is essential for making sure your security controls are working against the things you’re actually worried about
Most people aren’t doing this regarding their VPN use
One of the main things people are worried about is government access to their traffic
Commercial VPN providers are rather vulnerable to government access, and you wouldn’t necessarily know if that happened
The best way to get maximum VPN security is to run the VPN server yourself, and to regularly destroy and re-create the box itself
This is trivially accomplished in minutes using TrailofBits’ Algo, which builds the entire infrastructure for you in one command.


Notes


The goal here is not to teach people how to hide from various governments. First, if you’re that much of a threat, they’ll come for you physically and the VPN won’t matter that much. Second, the thing you’re doing on the other side of the VPN will likely have your tracks as well.
The purpose of this post is to teach people how to think about VPNs in a Threat Modeling Mindset, i.e., asking yourself what you’re actually worried about and building your controls accordingly. In other words, this is a lesson in people not assuming they have more security than they actually do.
More information on Trail of Bits. More

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

America has a much bigger problem than Donald Trump. Its problem is being a country that could elect Donald Trump. That doesn’t go away if/when Trump leaves the White House.

If he leaves before serving two terms, he can run again in 2024. And if he doesn’t—or can’t run—in 2024 someone else with similar ideas can run in his place.

This reminds me of computer security. If you have a massive network of millions of unpatched servers and desktops, that are vulnerable to all manner of malware, it’s unwise to spend all your time fretting over one particular outbreak.

You may fix that one worm—that one virus—but it will not make you safe. Another one is sure to follow.

This analogy works well for externalities as well, since if that company keeps having breaches and there doesn’t seem to be any improvement in their security posture, people will stop doing business with them. And that’s definitely the message we’re sending to the world right now.

The United States is no longer a safe basket for your eggs.

So what is the lack of patching in this analogy? It’s the lack of educated, critical thinking among our population. It’s the anti-science mentality. It’s the willingness to embrace ignorance in exchange for having an in-group that agrees with you. Is the willingness to put that in-group first, to the exclusion of others.

And then there’s the gross ignorance that you’d expect from poor countries fifty years ago.

Two-thirds of millennials don’t know what Auschwitz was. More
During the 2016 election, 40% of Americans couldn’t name the VP candidates.
45% of Americans believe in ghosts and demons. More
Over 1 in 5 can’t name a single branch of government.

The analogy to patching works on multiple levels because unpatched systems don’t just get hacked, they also become unstable and stop working.

My point here is that nobody should think that Trump was the problem. America is the problem. Specifically, a population of idiots is the problem.

And this isn’t about higher education, or elites or any of that. Not everyone needs a Master’s degree or even any education after high school. The problem is with common sense, critical thinking, and a general compassion for others.

When the lack of these combine, they form a cesspool of vulnerability.

We’re vulnerable to internal strife. We’re vulnerable to economic trouble because our institutions won’t function as well. We’re vulnerable to information warfare because people won’t question the source of emotion porn targeted at them. And that prevents us from agreeing on common goals and making progress.

From there we can be shattered into a million pieces by foreign adversaries like Russian and China, which is precisely what’s happening.

This wouldn’t be so bad if there were a few other Europes or America’s poised to rise and take our place. But that’s not what will fill our void. If the US falls it will be China and/or Russia that move in to replace us.

If you think the US is unpleasant or unfair, or that Europe isn’t tolerant enough of migrants, wait until you see what Putin will do. It doesn’t require much imagination, actually. We can see the societies that Russia and China have in their own countries.

Is there equality for minorities? Equality for women? Freedom of speech? Freedom of the press? How about LGBTQ in Russia and China. No. They are totalitarian states, and they are one-thousand times worse than liberals imagine the US to be.

But at this rate they won’t figure that out until it’s far too late.

We must address the unpatched network that is our ignorant population. The left is acting like out of control Lupus, attacking the very underpinnings of our country and the basis for its cohesion. And the right seems content to abandon our connections with the rest of the world.

Don’t blame Trump, and don’t blame the next authoritarian idiot that comes behind him. Their whistles only work on those who have ears for them, and unfortunately that seems to be around half the population.

It’s We the People who are the problem.

Notes


I don’t only blame Republicans for this. The Extreme Left has a major hand in this by refusing to provide a realistic center option. Someone has to speak uncomfortable truths around personal responsibility and other topics, and if there’s no center to do it, the Extreme Right will happily fill that void. People like Trump are enabled by the left being unwilling or unable to lead courageously while maintaining its progressive ideals. If strength and conviction are labeled Conservative by the left, then only conservatives will have those attributes.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Is it possible to rescue mindfulness from the past?

One of the most interesting lessons I’ve ever had in mindfulness came from Sam Harris in his Waking Up app.

He made the argument that it’s not actually time that gives you life, because if you live 90 years on the planet but never pay attention, it’ll be as if you only lived a very short time. Alternatively, you could pay attention closely, only live for 30 years, and your life could feel very full.

He argues that attention is the currency of life quality—not time.

To that end, he warns people not to just drift through life, lest they waste their lives essentially sleeping.

That waste part is what’s interesting to me. For those who didn’t pay enough attention early in their lives, is it possible to get any of that back?

I wonder if we can replay our past as memories, and attempt to be mindful of both the stimuli and the sensations they caused.

As observers. Not judges. Not victims. Not victors. Not someone enjoying fond or bitter memories. But as someone being present for the moment this time—as we weren’t the first time.

I think there are problems with the idea. First off, raw sensations aren’t fully recorded—or at least it’s not easy to retrieve them if they were recorded. So we won’t be experiencing the entire raw situation when we invoke a memory. We’re instead experiencing only very specific parts of the experience, and of course how they made us feel.

So it won’t be full-bandwidth. It’ll be lossy, compressed, and likely altered by our multiple recollections of the memory in the past.

But I can’t shake the idea that we could spend considerable effort, perhaps with a sherpa, to attempt to experience as much as possible, even if your creative subconscious has to construct some of the details, in order to be in the present—in the past.

If you have spent a quarter or half of your life not paying attention, would you like to get some of that time back?

If attention is the real measure of meaningful time, I think it might be possible to do do just that.

We can navigate our memories, in as pure a form as possible, and just be there. Experience them. Be present. Accept what happens without becoming the event. Just observing it and letting it pass—like we would today with the present.

Retroactive Mindfulness. A way to harvest meaning from our past.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I spend my time reading 3-6 books a month on security, technology, and society—and thinking about what might be coming next. Every Monday I send out a list of the best content I’ve found in the last week to around 40,000 people. It’ll save you tons of time.

MY ESSAYS



The Content Value Hierarchy (CVH) — How to protect your podcast or newsletter from being cut when people hit content overload More



The Relationship Between Hardship, Struggle, and Meaning More



A CrowdSec Primer — A modern replacement for Fail2Ban More



SECURITY NEWS



Multiple law enforcement groups are preparing for election-related unrest by limiting the ability to take time off in the weeks before and after the election. More



China is working on swarms of so-called “suicide drones”, which are relatively inexpensive and can be launched from mobile platforms including trucks and helicopters. More



Projecting objects, such as stop signs, cars, and other obstacles, can make Teslas see those object as real, causing them to swerve or apply the brakes. More



Sweden is growing its military spending by 40% due to tensions with Russia. More



Atlanta police used a drone to make an arrest in the murder investigation of Thomas Jefferson Byrd, and they released the video. More Video



Vulnerabilities: 

CVE-2020-16898 — There’s an RCE in the Windows TCP/IP stack related to the handling of ICMPv6 Router Advertisements More 
800,000 SonicWall VPNs are vulnerable to an RCE. More
There’s a bad NULL Pointer Dereference error in Flash. By the way, dereference just means “read”, i.e., trying to read something that isn’t there. More My Primer
Someone found an RCE in the desktop app for Discord. More
Multiple vulnerabilities have been found in Magento. More

Breaches:

Barnes & Noble warns customers of a breach that may have resulted in data loss. More

TECHNOLOGY NEWS



The 2021 Tesla Model 3’s are getting some major upgrades, including longer range, a bit more speed, and double-paned glass. More



You can now hum or sing songs to search for them using Google. More



Google Analytics is rolling out a new upgrade—Google Analytics 4—which is nicer looking, gives more data, and uses AI to provide insights—but as per Google the rollout doesn’t seem well-documented or complete. There’s supposed to be an “Upgrade to GA4” button in existing properties, but many are reporting it’s not there for them. More



Companies:

Clear, the company that helps air travelers get through line faster, looks to be pivoting into a larger identify verification play. More
98point6 raises $118M to do remote healthcare, including text-based interactions with doctors and automatic prescription sending to your local pharmacy. More Video
Balto raises $10 million to analyze call center conversations using AI. More
BlackSwan (who just raised $28 million) is an Israeli company that’s looking to enable any company to leverage AI for operational efficiency and data-driven decision making. More
Augury is a company that uses AI to predict machine faults based on vibration and sound, and they just raised another $55 million. Evidently they’re about to have competition from Amazon as well. More
Danon is a company that scans construction sites using AI and can tell you if they are behind schedule or if errors have been made. More
Alkira is a multi-cloud networking startup that helps people get their services onto multiple cloud services very quickly. More

HUMAN  NEWS



China’s economy grew 4.9% in the third quarter of 2020. The surge is partly due to its lead at containing COVID. Construction and consumer spending are both up. Caveat: These are China-reported numbers. More More



China has rolled out pilot of its new, digital version of the Yuan in Shenzhen. It’s not a cryptocurrency, just a digital version of the official, state currency. More



Nearly 900,000 people applied for unemployment in the US last week. More



Amazon has launched a payday loan program for its warehouse workers. This seems gross. It’s like they’re creating both the supply and the demand for a new business that shouldn’t have to exist. More



California has a $54 billion dollar budget deficit and over 340,000 government employees drawing more than $100K in salary. That seems, well…unsustainable. More



Rents in San Francisco have crashed the most in the country: up to 31%. More



IDEAS, TRENDS, & ANALYSIS



How to Reverse 50 Years of Social Decline and Actually Make America Great More



I’m starting to worry, as are others, that there is a big COVID shoe that still needs to drop regarding COVID and the economy. There’s a very real chance that we’ve just sort of been going on fumes for the last few months, i.e., stimulus, strong tech performance, etc., but that at some point the millions of unemployed people and all the unpaid loans are going to have an impact. Then there’s the election of course. We could see some strange times in the next several months. Maybe things stabilize and a Biden presidency brings a big optimism push for years. Or maybe he gets elected and all the Trump-fueled distractions get reduced, and people realize there are actually problems with the economy. Or maybe Trump wins and the cocaine-fueled optimism continues (but for how long), or maybe his crazy optimism carries things through to a longer-term recovery. I don’t know, and nobody else does either. But the one thing to say is that it might not be a good bet to assume that the recovery will continue the way it has for the last few months, because it could be that the real impact of the bad economy simply hasn’t landed yet. 



Is Maslow’s Hierarchy the Only Pyramid Scheme That Works? More



How Substack Became Milquetoast More



A Unified Theory for Coming Up With New Ideas More



UPDATES



As you probably noticed, I changed and shortened the intro to the podcast a bit, and I also trimmed the outro. David, who’s one of our original UL members, noticed that the outro was quite long and it prevented a quick transition into the next podcast. So I took that feedback and cut the intro/outro time by around 70% to make it easier to get into and out of UL content.



Just a reminder on product shoutouts, this show is very anti-ad, yet I am also very pro-product-discovery, and I’m trying to forge a new path that balances these two things. I’m still investigating ways to find and recommend more products on the site in the discovery section (if anyone knows a service I can use for that let me know!) Like I talked about here, my goal there is to bring extremely cool products to your attention that I find on Facebook, get recommended from friends, etc. One example is the RESOLUTE TOOLS everyday carry blade, which is actually the only knife I carry now. I’m also starting to reach out to some of those product companies that I find and want to recommend, to ask if they want to support the show. To date I’ve only found two products that have been 1) good enough to bring to your attention, 2) that I actually use, and 3) that I reached out to and asked to support the show. Those two products are Thinkst Canary Tokens, and now CrowdSec, which is in today’s show. I’ve recommended the RESOLUTE TOOLS blade multiple times but they’ve never been a show supporter, for example. More



I think I’ve been neglecting a certain type of writing on the site, which is essentially short-form ideas. In the past Google really hated seeing short posts, and in the past that mattered to me. But now I think 1) I care less, and 2) Google probably values people who post more often more than long posts. Either way, I’m looking to do more short essays on the site, and some of those I’ll also turn into short podcast episodes as well. The lesson here is to never impose limits on your own writing. If you have an idea, do it. Google—or whoever—will come around eventually.



DISCOVERY  



CrowdSec — A Go-based, modern replacement for Fail2ban that leverages crowdsourcing to manage ban lists. I run this on all my public-facing servers, and I’m super happy to finally have a replacement for Fail2ban after all these years. If you run a web or SSH server, you should definitely check it out. Download My Tutorial My Metrics 



I just ordered a new microphone arm from Gator Frameworks, which I recently saw on the Joe Rogan show and also saw my friend Phillip Wylie talk about as well. I currently have the one from Blue, which replaced my old one from Rode, and I’m hoping this will be even better since it’s Joe’s new preferred arm in his new Austin studio. I’ll let you know how much I like it. More



I’m trying a mechanical keyboard for the first time in over a decade, and I went with the Keychron K2 based on seeing it in an MKHD video. Not sure if it’ll stick or not. Very different from what I’ve been using. More



I went on Ashish Rajan’s Cloud Security Podcast this weekend and really enjoyed the conversation! Thanks to Ashish for having me on. Podcast Video



The Next World | Dark Techno / Cyberpunk / Dark Electro Playlist — A cyber-ish EDM playlist I love to hack/create to. More

 

How to Invent Everything — A new book that shows you how to invent everything if you get sent backward in time. More



An interesting set of metrics for gauging the health of your team. More



Lobsters’ Q4 Hiring Thread More



How to Read and Why — A new book recommended by a member the UL Slack channel. More



A collection of Tech Landscape maps. More



Among-sus — A text-based multiplayer version of Among Us. More



The Hedonometer — A project that takes a 10% sampling of the daily Twitter firehose, and does bag-of-words analysis on the English words it sees. It then maps that as an indication of happiness/pleasure in the world. More



JWT Heartbreaker — A Burp extension that finds weak secrets automatically. More



VulnHub — Prebuilt vulnerable environments built on Docker. More



RECOMMENDATIONS



How to Read and Why — A new book on reading that I am so excited to get to. Yes, I haven’t read it yet, so it’s a weird recommendation. But it’s a highly-rated book about why you should read, so I’m recommending it sight unread. More



APHORISMS



“To avoid criticism, do nothing, say nothing, be nothing.”



~ Elbert Hubbard

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.