Daniel Miessler's Blog, page 70

I get obsessed with things. Right now it’s coffee and podcast audio production. More on coffee later. Let’s talk microphones and audio.

I wrote earlier about how you should reduce bass in your podcast audio so that your voice can cut through background noise. But I didn’t fully implement the lessons therein.

The article that got me started in this direction initially was this one, where NPR’s top audio engineer was interviewed about how they create and maintain their sound.

You should read that piece. All of it. But here’s what I extracted from his tips and combined with other knowledge of this topic—many of which I actually wasn’t doing until just today.

NPR’s podcasts and broadcasts are known for their crispness and clarity. Here’s how they get there.

Go with a condenser mic (rather than a dynamic mic) if you’re looking for crystal clarity, becasue it has a wider frequency range. This will give you more of the highs and lows combined that create that clear, truthful NPR sound.
Speak close to the mic so you get the full benefit of the microphone. He mentioned wanting to be around 6 inches, at a slight angle.
Don’t add bass via effects, your mixer, or any other part of the flow. A low-pass filter is a good example of what not to do.
Use the bass roll-off feature of your mic—if it has one. This means it’ll cut the lowest frequencies out of the original signal directly on the mic.

In other words, speak close and direct into a high-end, condenser mic, drop out the low-end on the mic itself, and don’t mess with the signal after that! Leave it alone.

Also notice that audiobooks use this same clear, crisp tone. You never hear them with the rumbling voices of podcasts.

He especially talks about this added bass issue. It’s everyone’s natural tendency to add bass.

Back when I worked in Detroit, we were an RE20 station. And a lot of on-air talent — and we get a little bit of this here at NPR — likes to sound a little bit more authoritative, and they hit the microphone into the flat position to get that bassy sound.

In Detroit, we used epoxy to hold all of the switches into a position so that couldn’t happen again. And, honestly, we do see that occasionally here. We’ll hear something bassy and we’ll run up to the studio and, sure enough, somebody switched it.

Shawn Fox, Lead NPR Sound Engineer

I had tons of bass in my earlier podcasts. I just loved the way it made me sound. But it’s super unnatural, and to his point, it doesn’t peneetrate the noise of the outside world well.

My De-Echo Settings

So, resist the urge to magnify bass. The clean sound will cut through better, and it’s ultimately just more honest.
I’ve just made a bunch of changes on my RODECASTER PRO along these lines.

I don’t have the Big Bottom option enabled.
I removed the high-pass feature.
I turned off the compressor.

And in my podcast software (Hindenburg) I only have a single effect, which is to remove echo from my very small apartment room I’m in, with hardwood floors and no acoustic shielding.

So that’s my upgrade: speaking closer into my U87ai, and removing most effects.

NPR style.

—

If you get value from this content, you can support it directly for less than a latte a month ($50/year) which also gets you the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

If you want to have a productive discussion on a difficult topic, start by discarding the extremes.

Very few want pure communism, pure market capitalism, zero taxes, or taxes to be doubled. If you start by accepting the solution will be a hybrid, you can often make progress, and it’s the same with this lockdown conversation.

The lockdown sucks. Everyone knows that. And virtually no one thinks that it should continue on for months in this extreme form. And most of the strongest supporters of opening back up see that some protections should be in place when we do so.

So for the adults at the table, this is not a yes/no, open/close conversation. It’s a discussion about details that asks how much, and when.

I’m not a health or policy expert, but I am something of a risk expert. Much of risk comes down to balancing variables. Sure, we could give this sensitive data to these untrusted parties, but only if we have these technical and legal controls in place first. Sure, we can let employees use their personal devices for work, but only if they install some software and accept an agreement.

This is no different.

We need to return to some semblance of normal in order to revive the economy. But there’s risk there, and the compensating controls seem to be behavior control, vaccination/treatment, testing, and contact tracing.

The problem is we don’t have many of those yet. No vaccine. No treatment. Out testing is still dismal. And contact tracing is still theoretical. All we have is masks and social distancing. This leaves us with a primary question:

Who and where should open up—at what speed—given that population’s ability to limit infection using the controls they currently have?

I don’t know the answer to that, and unfortunately it seems that nobody does. This is art guided by science, not the other way around.

When we relax the lockdown, more people will get sick. That we know for sure. When we keep the lockdown in place, more people will suffer economically. We know that for sure as well.

So, given the data we have available—and the controls we have to work with—what is the best way to turn the knobs and slide the sliders to get the best outcomes for our hospitals, our economy, and ultimately, our people?

That’s the question.

Screaming that we should continue this lockdown until we’re all vaccinated is just as asinine as screaming that everyone should go back to normal next week.

Reality and risk are nuanced, and our policies have to be as well.

Notes


Image from Getty.
It does seem like things are slowly loosening even in the SF Bay Area, though, e.g., hundreds of restaurants doing pickup/delivery, Costco full of hundreds of people, etc.

—

If you get value from this content, you can support it directly for less than a latte a month ($50/year) which also gets you the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

.errordiv { padding:10px; margin:10px; border: 1px solid #555555;color: #000000;background-color: #f8f8f8; width:500px; }#advanced_iframe {visibility:visible;opacity:1;}#ai-layer-div-advanced_iframe p {height:100%;margin:0;padding:0}

—

If you get value from this content, you can support it directly for less than a latte a month ($50/year) which also gets you the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

A lot of people are waiting for the one, two, and three that need to happen to make everyone relax and return to normal.

The idea is that once we get a SARS-COVID-2 vaccine, or treatment, or combination of the two, people will be ok with once again being around others in public places and at work. I think this is unlikely for a couple of reasons.

First—and most obviously—people will be worried about the next one. So that will create some measure of fear.

But the bigger problem is how our previous level of public sickness (which we largely ignored) will look exactly like the next pandemic on day 3. And people will have zero interest in wondering what some random coughing person is actually suffering from.

In the security world we call it the con-flu.

Think about conferences where people regularly get sick afterwards
Think about the office setting where there was always someone getting sick
Think about how you and your family got sick a few times per year

Now think about the fact that those symptoms are like an 80-95% match not just for COVID-19, but for a common cold, the flu, and likely the next novel Coronavirus as well.

We’re basically going to return to the public hyper-sensitized to anyone with symptoms of sickness, because the symptoms to a 2-day cold look almost identical to the next big thing.

Even worse, maybe the public cameras do this automatically using their integration with something like Clearview AI.

We’re about to see health-discourtesy reporting apps, where you catch someone coughing without a mask, and without covering their mouth, and people report them to the cops for a ticket.

We had all this drama recently about the Clearview AI technology that could map people’s faces to their identities online. Well, isn’t that going to be a requirement for identifying people in public who are breaking the rules?

And even if it isn’t, won’t it be something that governments and multiple companies try to deploy in the name of public safety? I mean, cops could see that behavior themselves and ask for identification to ticket them, but that doesn’t scale like cameras do.

Anyway.

I just think it’s naive to think addressing the COVID-19 situation is going to calm people down in public.

We spent decades ignoring the risk of diseases that kill tens of thousands per year. Less than half of people even got a flu shot. And the anti-vaccine types effectively brought back at least one disease.

That’s all going to change. The background noise of coughs, sneezes, and sick leave is about to become a malicious cacophony that people cannot ignore.

What was completely normal six months ago will be taken as proof that COVID-20 is about to bloom, with patient zero being the person right next to you.

This thing won’t just change the normal of our future. It’ll also change how we see the normal of the past.

—

If you get value from this content, you can support it directly for less than a latte a month ($50/year) which also gets you the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

I’ve been thinking a lot about this Zoom situation. It’s fascinating to me that millions are using it as a lifeboat to humanity while others label it a threat.

Throughout the media you have people substituting their in-person events with virtual ones, and they all seem to be using Zoom. John Krasinski gave this medium a pulse when he had the entire cast of Hamilton perform together for a little girl. It was extraordinary.

This got me thinking more about the implicit tradeoffs we make in life with regard to functionality vs. risk—tradeoffs that we’re really bad at capturing and articulating.

Driving is basically insane. We have these massive networks of interconnected highways, where people take giant self-propelled missiles and fly them in particular directions. You’re usually just separated from an oncoming, life-changing accident by a few feet and a bit of paint. And there’s no way to know if the person in the other car is drunk or looking at their phone.

And even though thousands of people die every year in traffic accidents, nobody would even take seriously the idea of getting rid of cars and roads. We accept this risk because driving is a requirement for our society to function.

It’s a tradeoff calculation that everyone makes automatically in their head—a massive amount of good on one side, and a little bit of bad on the other.

The internet is a tire fire of horrible software. It’s astounding that the internet even works given how bad the infrastructure and software is. Basically every corporation in the world has been publicly hacked, and it’s to the point now where nobody even cares when they hear about another one. We’re like 20 years into this silly experiment and every month we have a Tuesday of Pain and Suffering because nobody’s figured out (or been forced to figure out) how to create secure products.

But the crazier part is that nobody actually cares. If they did they’d stop using it. We don’t stop using it because it’s good enough.

More precisely, a tradeoff is being made at the level of society that says the benefits of the barely-duct-taped-together internet are far greater than the downsides of all the hacks and the fraud and instability caused by its security issues.

That’s a powerful, meaningful choice we’ve made.

And that brings me back to the Zoom thing.

Zoom is no highway system, and it’s no Internet. But it’s damn sure performing a critical function for humanity right now. And it’s doing so far better than its competitors. Like, “20X growth in three weeks” better.

This forces us to place things we care about on a balance.

We care about millions of people connecting to each other in a time of crisis.
And we care about using software that doesn’t put us at risk.

So the question is simple:

How bad is the second one relative to the benefits of the first?

That is the question that matters—for highways, for space travel, for using an insecure internet—and yes, for Zoom.

This software has brought people together because it’s actually usable. I don’t know what that’s worth exactly, but it’s a lot.

And if I were to take the risk to people presented by Zoom—as I understand it—and multiply it by 10X, and put that on the other side of the scale, well, it wouldn’t even budge.

The most important thing we can do as security professionals is to keep our risk evaluations in context with what we’re protecting.

In the case of corporate infosec that’s the business, and in the consumer world it’s the business of human thriving.

—

If you get value from this content, you can support it directly for less than a latte a month ($50/year) which also gets you the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

I heard Scott Galloway say recently that COVID-19 was going to act like an accelerator to a number of big changes.

The comment vibrated my center, and reminded me of something Andrew Yang said in his book, The War On Normal People.

He was talking about the coming threat to everyday jobs from automation, and said that there’s lots of tech out there that does automation of various functions, but that many managers are set in their ways and won’t migrate to them … unless…

…unless there were a crisis—like an economic slowdown, or a recession—that forced business owners to lay people off anyway. The idea is that once that happens, and the company gets stripped down to bare essentials, then when it comes time to staff back up, a lot of businesses will be looking at a lot of automation.

The New McDonalds Cashier

So maybe there was automated customer service options, but you didn’t want to fire your support people. Maybe there was automated HR software—or accounting software—but you didn’t want to fire your people who helped you build the business. But once you have to let them go anyway, you’ll absolutely be using those new tools if you are lucky enough to be able to rebuild.

So that’s the idea: an evolution burst as we come out of the slowdown (whenever that is).

Let’s look at some other ideas or trends in society that were likely to happen anyway that could get accelerated by COVID:

The Adoption of Automation and AI: Companies use more non-human options to handle the routine parts of their business (see above)
Basic Income: More people are out of work and they need income for basic survival, or some freedom to invest in growing themselves into a better career
The Rise of Audience-supported Influencers: More people develop followings doing their particular thing, and each of those people pays them a small amount per month or year to get their content
The Rise of Esports: Esports gets even more popular—and faster—because of the downtime for traditional sports. And more people can participate and observe in more types of competitions outside the constraints of reality
Millions of People Choosing Game Reality Instead of Legacy Reality: Given the natural tendency for income and wealth disparity in the real world (Piketty), combined with the massive jumps in gaming and human-computer interfaces in coming years, a lot of people are going to decide that they’d rather live in a fantasy world than the real one. Their Universal Income will be used to pay rent, food, and their gaming subscriptions, and pretty much everything that matters to them will happen in-game.

That last one is the one that will take longest, but it’s perhaps the most important and impactful. These games will increasingly become long-arc heroic journeys for people and small groups, where you start weak and oppressed and over many years become the (or one of) the heroes in that given world.

We don’t know when this is coming, but we know it is

Imagine you and your closest three friends become the only superheroes on the planet, and you’re fighting for the survival of the species—but where you getting your powers and spinning up to the final fights takes multiple years.

So it’s not you and 2,000 other strangers in an MMORPG where everyone has equal powers. No. You and your friends are the special ones. And there are bad people. And you are the ones who have the most important relationships, the most important battles, and the deepest meaning in the entire world.

That’s the future of gaming. Not because it’s cool (which it is), but because it most closely maps onto the Meaning Loop that Evolution placed into each of our brains. In THAT world, we’re winning. In THAT world, we matter.

This is why a global pandemic can serve as a catalyst and accelerator for such a transition. It’s just one more thing making reality worse for most people, and meanwhile tech advancement continues to make digital escape more appealing.

Anyway, that one’s a way out still, but it’s already started for many. Notice how many young males aren’t counted in the unemployment numbers because they’re not even looking for work. They’re too busy winning in a different world.

As for automation taking jobs, people becoming their own income source through direct patronage, and goverments handing out Basic Income to keep populations controlled—those are far more near-term and pressing.

Again, they were going to happen anyway, but this will likely hasten the transition.

—

If you get value from this content, you can support it directly for less than a latte a month ($50/year) which also gets you the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

I’ve been processing my thoughts on the Zoom Security stuff for a couple of weeks now, and I think I finally have an opinion.

The hate is silly.

Like I said, I sense something strange here.

I get there are security issues. And some seem pretty bad.

But the amount of highly-coordinated PR against the company feels more like an operation than regular criticism…

The Spidey Sense is flaring for sure. https://t.co/CFS3ELYuUG

— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) April 3, 2020

I had a bad Oompa-Loompa vibe immediately about all the hate they were receiving, but I couldn’t quite tell what was going on.

Some were implying there was a massive cover-up, or massive negligence, at the company, which would make it like a whistleblower situation.

But my opinion has now squarely fallen in the Camp of HaterAde. In other words, a whole lot of people got really upset when they saw a rocket take off heading for space.

So they decided to shoot it down.

And it wasn’t just competitors (although I bet many of them helped magnify the backlash). It was also security researchers. And the media.

It was—and still is—an absolute frenzy.

But here’s the thing: they had a 20X burst in usage in just three weeks—because of COVID.

Did WebEx have that? Did Microsoft Teams? Did Google Hangouts?

No.

Why not? Because they’re nowhere near as intuitive to use.

So we’re in the middle of the biggest event in most people’s memory—an event that has isolated us from others—and one company had a product that made connection easier for millions of people.

Lots of companies had competing products much earlier than them. Years earlier. Skype, Hangouts, Webex—they all had their shot.

But Zoom comes in and makes something people actually want to use.

And now that we’re in a crisis, it turns out that it’s the go-to option for people due to its user interface.

Turns out it also has vulnerabilities. Actually a lot of them.

But if you’ve been in security a while you know that vulnerabilities aren’t absent just because they aren’t being talked about. If you looked at Hangouts, or WebEx, or any of these other options the same way we’re looking at Zoom, it’d likely be just as nasty.

Yet people are banning Zoom. Because of Zoom-bombing.

It’s only called Zoom-bombing because Zoom was the only product popular enough to get bombed.

That’s like claiming Ford was the #1 manufacturer involved in vehicle deaths 2 years after the car was invented.

Nobody’s using the other platforms, and nobody cares about them. Because they’re not easy and intuitive to use for beginners.

The more usage you have, the more scrutiny.

And I think it’s funny that Google banned Zoom. Really? That’s your technique for gaining marketshare? Ban the competitor that just did to the market what you should have done 5 years ago? Maybe it’s because Google is small and has no money. That’s probably why they couldn’t figure out how to make a good product.

What annoys me is that we’re not paying attention to the inherent balance involved in technology and security.

Everything in security is a tradeoff. The only question is whether you’re properly measuring both sides to make an informed choice.

For people banning Zoom all over the place right now, the tradeoff is not communicating easily with people in a moment of intense need.

Not. Communicating. During. Intense. Need.

That’s on one side of the balance.

On the other side you have a bunch of vulnerabilities that can maybe be exploited, by certain people, and that are actively being addressed by the company.

And I’m not giving Zoom a pass. They shouldn’t have had these issues in the first place. And it took them too long to fix some of them.

But they seem to be responding well now.

Anyway.

My recommendation is simple: know your tradeoffs. At all times.

Zoom had a 20X increase in traffic because it just provided a massive benefit to humanity.

Banning it requires that the risk to people from using Zoom is as bad or worse than not being connected to people in a way that’s intuitive and easy.

And by my calculation, the comparison is not even close for 99% of people.

So if you’re the Pentagon, maybe don’t use Zoom for a bit.

For most others, Zoom is quite safe. And now that they’ve had all this scrutiny, it’s probably much safer than its alternatives.

Enough already.

Notes


April 9, 2020 — I have a friend who is familiar with Zoom’s security going way back, and he says their security was markedly worse than other companies, and that their team was not responsive to vulnerabilities being presented. I trust him a lot so the question really becomes how much they’ve changed since a year or two ago. I think with Alex Stamos coming on, and all the work they’re doing now, they’re likely to be in a good spot, but the question remains whether their culture is now deeply focused on security, or if all this work is being done just to reduce scrutiny. The good news is that either way the security will improve. But things will be better for longer if they care about security at a deeper level.

—

If you get value from this content, you can support it directly for less than a latte a month ($50/year) which also gets you the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

One of my hobbies—when I’m unable to do anything else—is imagining what use I could be to the world if placed a hundred, two hundred, or a thousand years in the past.

What science do I know enough about to actually share? This is usually quite depressing, but it’s good exercise.

Closely related to that, I also like imagining that I’m debating someone who doesn’t believe in something modern and obvious—like evolution, or the fact that the planet is a sphere.

It’s quite easy (and lazy) to just say you trust the scientists. Sure. So do I. But there’s an unpleasantly thin line between trusting science and having Faith™. So, for any given scientific belief that you share yet has controversy from some group, what would you do to actually prove it?

It’s good fun.

Here are a few ideas I have been loosely collecting in my brain for confirming that the Earth is round.

If you take the physical location of all known satellites at a given moment, and map them onto three-dimensional space, you’d end up with the shell of a sphere, not a rectangle
If you shoot a homemade rocket into the sky with a camera, you can look through it and see the curvature of the horizon
When the Earth gets in front of the sun and casts a shadow on the moon, it’s a round shadow

When you look at the moon in the sky, it looks like a sphere. Sometimes it’s round, and sometimes it’s partially lit. But you definitely don’t feel like you’re looking at a flat rectangle or a flat circle. It has the curved light line and shadow exactly as if you were shining a light on a sphere.
GPS works based on satellites moving in orbits around a sphere
We can perfectly predict where the Sun, moons, and planets will be, down to the exact second. And those predictions wouldn’t work if all those things were flat instead of spheres
If the Earth were flat you could lift yourself off the surface of the Earth by a few thousand feet and see the edge of the world with a massive telescope. You can’t do that because you hit the horizon, which is the curve of the planet
You can shoot a laser parallel with the ground on a very flat surface (like in the desert), and have the receiver need to be raised more and more the further you move the receiver

A partial solar eclipse

When the moon comes between us and the Sun (which happens perfectly predictably based on a scientific model of the solar system), you clearly see a round thing coming in front of the sun. Why would it be round and not a disc? Or somewhere in-between? How does it look perfectly lined up? Sure, it could be a disc that’s at a perfect 90 degrees, but how is that possible every single time there’s an eclipse? Same with the moon casting a shadow on the Earth.
There’s not enough power on satellites to keep going edge to edge on a flat surface and turning around. It takes a lot of energy to get up to speed, slow down, start again, etc.
You can track a single plane’s location as it moves across the map. The path it takes works in one map and doesn’t in another.
You can follow the ISS moving a straight line around the planet and map every city it crosses. Notice that it never changed direction, but it did end up back to a similar place to where it left.
You can fly from Australia to South America in like 12 hours, which you shouldn’t be able to do, and you can use online flight trackers to watch them make the journey routinely.

If you can think of others that would be easy for people to do, please let me know.

—

If you get value from this content, you can support it directly for less than a latte a month ($50/year) which also gets you the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

A list of videos I’ve either created myself or that have been recorded from presentations, panels, or podcast appearances.

My Videos (YouTube)







Appearances

—

If you get value from this content, you can support it directly for less than a latte a month ($50/year) which also gets you the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

In this video I provide a simple explanation of what I believe to be the most important concept in mindfulness and meditation: the distinction between distraction and awareness.

After trying to study meditation for a couple of decades, I finally got into it through Sam Harris’ app, Waking Up. And one of the first things I realized when starting is that you’re either distracted or you’re not.

And most of us are. Most of the time.

It’s remarkably simple, then, to become a practitioner. You simply have to work to spend less time distracted.

I’ve have a place to capture my journey with all this, and perhaps it’s arrogant to practice for a few months and think I’ve found the most important thing.

Maybe after 10 or 20 years I will think some other concept is more fundamental to awareness and meditation than this distinction.

But I doubt it.

—

If you get value from this content, you can support it directly for less than a latte a month ($50/year) which also gets you the Unsupervised Learning podcast and newsletter every week instead of just twice a month.