Daniel Miessler's Blog, page 82

I’m starting to wonder if many of those on the extreme left are secretly working for the right. I say this because if I were a right-wing political strategist there is one approach that I’d be advocating to get Trump re-elected: basically, trigger the left against itself so that it self-destructs.

I’m in cybersecurity, so I have a habit of thinking of the worst that an opponent can do.

First, I’d find the best ideas and candidates that could unify the progressives in opposing Trump.
Then I’d create extreme-left attacks against those ideas.
And then I’d mercilessly go after moderate liberals on social media using those attacks, in order to either make them switch to the right or disengage from politics completely.

Brilliant. Make the left eat itself, which will empower the right.

So if the moderate left says: “Everyone should have access to affordable healthcare”, our attack narrative would be:

Wow, it sure takes a lot of privilege to see the world as equal when people of color have far less access to all of life’s essentials.

Or if someone on the left says, “We have to teach kids programming so they can enter this lucrative economy”, we would respond with:

The tech elite is loves to elevate themselves, and this mentality is precisely why so many poor people are suffering in the gig economy.

Basically, if you see decent statement by someone on the left, find a way to interpret it as not being woke enough, and spin it as hateful and bigoted in order to anger and marginalize the person who said it. And do this in public so they spend the next several hours or days defending themselves from fellow progressives.

If the left eats itself, only the right will remain.

You might think this is too Machiavellian or obvious for anyone to try, but whether it’s natural or orchestrated, it appears to actually be happening.

As a real-world example, Andrew Yang is an Asian American child of immigrants from Taiwan, and a life-long Democrat. He believes that identity politics (which by definition focus on how we’re different) are dangerous to unity, and that we should focus more on how we’re similar. Seems progressive enough, right?

But no. In what appears to be perfectly in-line with the right-wing attack strategy outlined above, the extreme left is attacking him as someone who doesn’t care about people’s identities. Similarly, he also wants to give everyone $1,000 a month to help them transition from the old economy to the new one, i.e., more creative work, but since this will also help truck drivers and manufacturing workers, the attack narrative says—get this—that he’s secretly supporting white supremacy.

Obama recently talked about this behavior—which I call Lupus Liberalism because it is good intentions that ends up doing harm—as circular firing squads. He writes,

One of the things I do worry about sometimes among progressives in the United States,” he said, “maybe it’s true here as well, is a certain kind of rigidity where we say, ‘Uh, I’m sorry, this is how it’s going to be’ and then we start sometimes creating what’s called a ‘circular firing squad’, where you start shooting at your allies because one of them has strayed from purity on the issues. And when that happens, typically the overall effort and movement weakens.

Barrack Obama

Another example just happened within the cybersecurity community, where the Black Hat security conference was forced by social media feedback to remove a keynote speaker because of his voting record on women’s rights. In response to the outrage that got him removed, Jennifer Granick asked a great question on Twitter.

What other views disqualify someone from keynoting Black Hat? Best not to invite any legislator with more than a term under her belt. Should Black Hat now ask potential speakers for their views on abortion, or is it fine so long as we don't know? https://t.co/1TmcFMOLQk

— granick (@granick) June 14, 2019

She was immediately attacked by people on the left, many of whom started explaining feminism and IT and security to her. Amazing. Explaining those things to Jennifer Granick. The previous Black Hat keynote speaker. Who’s also a security expert. And a lawyer. Who has defended tons of hackers. And who works for the ACLU.

Granick is a Paladin for the left, and she’s being attacked by the very town she’s defending from the horde.

It’d be hard to invent a better example of the left attacking its own, and all because she basically said it’s dangerous to start denying speakers based on their political views. I agree with many of the arguments to not have Hurd do a keynote, actually, but to attack a female security expert who works for the ACLU defending hackers—for saying we should be cautious with excluding people based on their beliefs—is patently ridiculous.

Whether we use the term Regressive Left, or Circular Firing Squad, or Lupus Liberalism, the idea is the same. Those on the extreme left are trying to do the right thing. They want mostly the same things I want, e.g., equal opportunities in the workplace—including policies that help correct for the past, equal treatment under the law, accessible and affordable education and healthcare, etc. But this faction has chosen tribalism, callout culture, and outrage as their primary weapons, and it’s become a blood frenzy where they care not who they injure.

I’d be more ok with this cycle of self-exploration on the left if there weren’t so much in the balance, but we don’t have time for this. If we can’t stop attacking and alienating our own on the left, we’re going to end up with a tiny faction of left-leaning extremists on one side, and everyone else on the other.

Which means we’ll end up with Trump as our president until 2025.

If we want to avoid that, we must find a way to stop own-goaling ourselves, and instead focus our attention on the active and malicious efforts of those in the extreme right.

Notes


I think a keynote slot wasn’t a good choice for Will Hurd because it’s a session designed to be seen by everyone. It is, of course, still an optional session just like all the others, but keynotes are supposed to be attended by the entire conference, so I think that supports the position to go with another speaker. I’m not sure what decision I would have made, but I do see that as a contributing factor. As for his politics, I seem to disagree with almost every position he has, from womens’ rights to interactions with Russia, but if he is trying to raise awareness of cybersecurity in our government I can see why he’d get an invite to a cybersecurity conference.

—

Become a direct supporter of my content for less than a latte a month ($50/year) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month, plus access to the member portal that includes all member content.

Unsupervised Learning is my weekly show that provides collection, summarization, and analysis in the realms of Security, Technology, and Humans.

It’s Content Curation as a Service…

I spend between five and twenty hours a week consuming articles, books, and podcasts—so you don’t have to—and each episode is either a curated summary of what I’ve found in the past week, or a standalone essay that hopefully gives you something to think about.

Subscribe to the Newsletter or Podcast

Become a member to get every episode

.errordiv { padding:10px; margin:10px; border: 1px solid #555555;color: #000000;background-color: #f8f8f8; width:500px; }#advanced_iframe_2 {visibility:visible;opacity:1;}#ai-layer-div-advanced_iframe_2 p {height:100%;margin:0;padding:0}

—

Become a direct supporter of my content for less than a latte a month ($50/year) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month, plus access to the member portal that includes all member content.

If you’re a US Citizen who flies a decent amount, there are three things you should absolutely do.

1. The Trusted Traveler Program (Global Entry)

With Global Entry, you get the ability to bypass the customs line when coming into the United States. Instead, you move quickly off to the side where you scan your Passport and fingerprint on a machine, and that’s it.

The process is fairly painless: you sign up for an interview (usually at an airport), and you answer some questions with someone for around 10 minutes. And within a week or two you get approved. Then, not only do you get easier access back into the US, but once you have Global Entry you automatically get Pre-check on every flight as well!

Cost: $100/5-years

2. CLEAR

CLEAR is a service that lets you get through lines faster in many US airports. You can enroll right at the airport, and it becomes active immediately.

Instead of waiting in the regular line, or even the Pre-Check line, you go to the CLEAR lane, scan your ticket and your fingerprint, and an attendant takes you to the front of either the Pre-Check or regular line (depending on what kind of ticket you have).

Cost: $179/year

3. Priority Pass

I tend to get the one that gives you 10 free per year.

Priority Pass gives you access to over 1,200 airport lounges around the world. You simply show your card (or digital version), and you get in for free, depending on what level you get.

Cost: $299/year

Summary

Getting these three services will significantly improve your life if you travel more than 5-10 times a year.

There is seriously no comparison between flying naked (no priority access or membership benefits) vs. flying with preferred status and options.

Go do it!

Bonuses


Make sure every flight you take is tied to your frequent flyer account with your airline.
Look for interactions between hotel points, airline points, and credit card benefits.


Notes


The Chase Sapphire Reserve credit card (as well as many other top cards), will pay for (or at least offset) the cost of Global Entry and Priority Pass. Those benefits alone make might make premium cards worth it for some.

—

Become a direct supporter of my content for less than a latte a month ($50/year) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month, plus access to the member portal that includes all member content.

Introduction
Adding Authentication
HTTPS Listeners
Tunneling SSH




Tunneling RDP
Serving Directories
Summary
TL;DR

This works because Ngrok is calling outbound, and meeting its other side on the internet.

Ngrok is an application that gives you external (internet) access to your private systems that are hidden behind NAT or a firewall. It’s basically a super slick TCP tunnel that provides an address that anyone can get to, and then links the other side to something that’s normally inaccessible.

Just because hackers use something doesn’t make it automatically malicious.

Two of the examples they give include: public URLs for sending previews to clients and demoing from your own machine are cool, but if you’re in security like I am, the main use case is granting external access to internal systems once you’ve, um, gained access.

Ngrok simplifies what used to require lots of trickery, usually involving SSH.

The other cool thing about Ngrok is that it allows you to see the HTTP traffic that’s being tunneled over it. This especially helps the normies that are using it legitimately for troubleshooting (

This is a Member-only episode. Members get the newsletter every week, and have access to the Member Portal with all existing Member content.

Non-members get every other episode.

Sign in

or…

—

Become a direct supporter of my content for less than a latte a month ($50/year) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month, plus access to the member portal that includes all member content.

A sci-fi trilogy called The Three Body Problem included a powerful concept called Dark Forest Theory, which basically says it’s a bad idea for people who don’t know about their surroundings to make noise that might attract attention.

Or, taken as a game theory strategy, it’s better to destroy other civilizations before they get the chance to destroy you.

Steven Hawking also disliked the idea of screaming out to potential scavengers that we’re here and vulnerable.

Another—extremely depressing—perspective is to imagine that the reason we haven’t heard from aliens is that they were all killed as soon as they got enough technology to announce that they were there. Which we just recently did, meaning they could already be on the way.

We would not have detected extraterrestrial radio traffic- nor would any ETIS have ever settled on Earth- because all were killed shortly after discovering radio.

David Brinn

Being in cybersecurity I find the analogy a bit unsettling, since the Dark Web usually traffics in the unsavory.

This reminds me a lot of the Intellectual Dark Web (IDW), which is a term coined by Eric Weinstein on Sam Harris’ podcast. He used it to describe a place where people could have meaningful conversation amongst themselves without unwanted attention—with “Dark Web” referencing the technology term for the part of the internet that isn’t directly exposed to search and browsing by regular people.

In other words, the IDW started as a place to safely enjoy real conversation, and I see this as very similar to Dark Forest Theory where you must hide to avoid being targeted.

The central thread in both the IDW and Dark Forest Theory is that your true self must remain hidden.

This may be a good strategy for a planet in a hostile galaxy, but it’s no way to behave in a democracy. Democracy requires a marketplace of ideas, and you can’t have a market without variation.

ISIS and Nazi types are the exception.

Hiding one’s opinion is the ultimate signal of unhealth in an open society. It means the conversation has ended, and the strategy has shifted to labeling and scheming. And that’s precisely what we have in 2019—not just in the US, but throughout the western world.

Let’s work on Earth climate change before trying to fix the galaxy. Priorities.

The Dark Forest and Intellectual Dark Web are respectable self-defense techniques, but they indicate a world that we don’t want to live in. It’s on all of us to rebuild an environment where they’re no longer needed.

—

Become a direct supporter of my content for less than a latte a month ($50/year) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month, plus access to the member portal that includes all member content.

I’m a huge fan of Rob Graham and all he’s done for InfoSec. I also enjoy the fact that he seldom avoids a tussle. If he disagrees with you, you’re likely to hear about it.

I probably agree with him on 85% of topics, so when he did a post recently, called Your Threat Model is Wrong, I was surprised I disagreed with so much of it. He basically took multiple complaints being made by others, and explained them away by saying their threat model was wrong.

Phishing

First, he argues that it’s wrong to fire people for failing phishing tests because it’s impossible to pass them.

The (wrong) threat model is here is that phishing is an email that smart users with training can identify and avoid. This isn’t true. Good phishing messages are indistinguishable from legitimate messages.

Robert Graham, Your threat model is wrong

This ignores the fact that there are clearly people good at spotting phishing, and people who are bad at it. Some people go for years at a company, through dozens of campaigns that are taking place constantly, and never click a phishing email. Others are repeat offenders and will click almost anything. Whether that’s a mindset difference or a training difference, the person who is is more click-happy represents more risk to the company.

Nobody is making the argument that this should be your only control—yes, absolutely do 2FA and many other things—but today’s reality is that the user is still often the last line of defense, and that the more trained and cautious they are the better posture the entire company will have.

Internet of Things

Here he argues that auto-updates are a bigger threat than billions of IoT devices coming online.

Anyway, this is just the start of your “wrong threat model”. The main security weaknesses that cause 99% of the problems are services exposed to the public Internet and users exposed to the public Internet. IoT has neither of these, and thus, billions added to the Internet are not the problem you imagine.

Robert Graham, Your threat model is wrong

First, I agree about the auto-updates piece, but it seems like that can be mitigated somewhat easily by introducing staggered rollouts of updates, improved rollback capabilities, and other controls. But still, I agree it’s a major issue.

But as far as IoT devices not being an issue, I don’t get that. The future doesn’t have IoT devices, it has everyday things that are online. Cars, houses, cities, roads, lights, power, water, etc. And the thing that makes their connectivity useful is having it be…well, connected.

The internet-ization of ICS/SCADA is a case in point.

If you can click a button, or give a voice command, and have major things happen—which is the entire point of IoT—then that’s because the systems are listening and receiving commands in some way. Whether that happens with internet-facing ports, single ports passing back to private control systems—it matters not. The point is that this is the functionality that everyone wants, that everyone is building, and that is being put into more and more systems with more and more power/functionality/risk.

I don’t see a world of billions (and then trillions) of smart objects that aren’t accessible because we ran out of IPv4. There are ways around that, and you can rest comfortably knowing that a multi-billion dollar industry will find those ways.

Finally, he says in the last part of that section that he worries about Windows vulns, things exposed to the internet, and automatic updates of popular products—but not IoT.

We must be disagreeing on terminology here, because things online that control the world around us WILL LARGELY BE THE IOT. A lot of them will run Windows, be exposed to the internet, and will have update considerations. Every problem he mentioned will apply.

Analysis

I agree with Rob that people often get distracted by the wrong threat scenarios and end up worrying about and fixing the wrong things. I also agree that fixing admin rights is more important than launching phishing campaigns.

But you don’t have to choose one.

Many organizations can, have to, and are doing both—in addition to many other things. So it’s not one or the other—not for phishing vs. admin, and not for updates vs. IoT.

Rob is awesome, but I think he went astray on these.

Notes


I also pinged Rob before writing and posting this, just to give him a heads-up that a friendly volley was coming his way. He was a good sport as always.

—

Become a direct supporter of my content for less than a latte a month ($50/year) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month, plus access to the member portal that includes all member content.

With global leaders the implications are potentially severe

Someone released a video recently that seemed to show Nancy Pelosi slurring and mangling her speech. The video spread virally in right-leaning circles, but it soon turned out to be fake.

I commented on this in my most recent newsletter, saying:

What this shows us is that it’s not the machine learning that makes Deepfakes dangerous; it’s the willingness of a massive percentage of the US population to believe total garbage without an ounce of scrutiny.

Unsupervised Learning, No. 179

But a reader on Twitter named David Scrobonia had an even more interesting point about this.

This is a really interesting point about deepfakes.

Seeing them can detonate in your brain and affect your emotional view of the subject, even if your logical brain learns/knows it’s false.

That’s the same mechanism as advertising, i.e., target the emotions, not the logic. https://t.co/VrPlV7Defa

— Daniel Miessler ☕

There is also a podcast version of the newsletter.

.errordiv { padding:10px; margin:10px; border: 1px solid #555555;color: #000000;background-color: #f8f8f8; width:500px; }#advanced_iframe {visibility:visible;opacity:1;}#ai-layer-div-advanced_iframe p {height:100%;margin:0;padding:0}

My ~12 hours of research gets consolidated into 20 minutes of content!

Get Access to Member Editions

Newsletter Archives

Podcast Archives

See you for the next issue!

Best,

—

Become a direct supporter of my content for less than a latte a month ($50/year) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month, plus access to the member portal that includes all member content.