Daniel Miessler's Blog, page 84

So I was listening to the Risky Business podcast this week and heard Adam Boileau mention something extremely juicy in passing during the news segment.

Patrick asked him about Microsoft removing password expiration in an upcoming version of Windows, and if he thought that was a good or bad thing. His response was super interesting.

They also mention later that there are exceptions where you definitely want to rotate them.

I’m certainly of the opinion that rotating passwords makes things actively worse. I have the data to assert that.

Adam Boileau, Risky Business Podcast #539

Patrick pushed further, and here’s how he expanded on it.

If you look at password changes over time there’s a direct correlation between the amount of entropy per password change and the number of times you change your password. The longer you’ve been at an organization the worse your password is because you’re forced to change it more often.

He went on to say that this is because, “you settle on a scheme.”

Patrick wanted him to write a report on this—which would be fantastic—but Adam said he’s too busy.

And 2FA of course.

But I thought it was a brilliant nugget, and too good not to capture.

Basically, empirical data showing that if you’re using super-strong passwords—that are unique—it’s markedly worse to force users to change them often because the organization will end up with weaker ones over time.

Good to know.

And I do hope Adam eventually writes that paper.

Notes


This has always been intuitive to me, and I’m sure many others, that if you rely on the human they’ll build security that matches their limitations (in this case memory). This is why there’s been such a push for password managers. It was just so interesting to hear about actual data collected to support our intuition.
Some might say we’ve not yet seen the data, so we can’t really come to any conclusions. My response is that you have to choose to trust if you want to expand your knowledge of the world beyond your own experience. And the Risky Business show, Patrick, and Adam are definitely on that list for me.

—

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Unsupervised Learning is my weekly show that provides collection, summarization, and analysis in the realms of Security, Technology, and Humans.

It’s Content Curation as a Service…

I spend between five and twenty hours a week consuming articles, books, and podcasts—so you don’t have to—and each episode is either a curated summary of what I’ve found in the past week, or a standalone essay that hopefully gives you something to think about.

Subscribe to the Newsletter or Podcast

Become a member to get every episode

I think what’s happening to America right now can best be captured as a catastrophic loss of meaning.

Bowling Alone is the canonical work on the loss of community in our lives.

We’ve spent decades cutting religion out of our lives, we’ve stopped interacting with each other, many core “American” jobs have been deprecated due to automation efficiencies. And now the nation’s complexion is changing through immigration and demographics.

If you’re lucky enough to live on one of the coasts, or one of the big cities, and you have a decent education in a hot field, you’re basically fine. Those people have learned to wear their work and their projects like an exoskeleton.

People immersed in tech don’t have time to think about meaning because they’re too busy with their jobs, projects, and startups. Their work becomes their meaning.

But most people aren’t on the coasts with opportunity in a hot field. Most people live in the middle of the country, or are struggling in the big cities. Their meaning comes from sources that have been stripped away over the last few decades. Things like Work, God, and Country.

And once those sources of self-worth are depleted, there is an unfortunate last rung of the meaning ladder—race.

This is true in prison, and it’s true in Trump’s followers who feel they have lost their work, that their religion is under attack, and that their country is being invaded by outsiders.

This, more than anything, is the threat we face in 2020—an angry and mobilized mass of white people at the bottom of the meaning well.

In 2016 we liberals didn’t listen to their anger, and if we ignore it again we’ll have Trump for another 4 years.

Listen.

Notes


This idea emerged from a conversation with my friend Joel P.

—

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

In October of 2018 my site was hit by a meteor called Google.

My traffic dropped by over 60% in just a couple of weeks—going from around 10,000 pageviews a day, to around 4,000.

Read about the March 2018 Update

After some research and help from Thomas Zickell, I knew that this was a Google algorithm update, but I still decided to tend to my SEO garden to see if I could help the situation.

Here are some of the things I did:

I’ve been blogging since 1999, so I have thousands of posts.

Removed hundreds of old, personally-relevant (but not publicly useful) posts
Removed lots of thin content
Updated some of the metadata for the site
Refreshed a few of my key pages
Changed my top-level nav
Added sub-menus to my top-level nav
Added anchor pages for Information Security and Cybersecurity
Other minor tweaks

I also had a recent article go viral due to some famous associates sharing it on Twitter, so that probably had an impact as well.

As is usually the case, you never know what exactly is working, or if Google is changing things on their side. But to me the graph matches the March Update pretty clearly.

I am sure there were many factors, but it seems clear that the March Core Update was a major one.

Many people are saying that this update reversed a lot of damage done to some sites in 2018, and I think that’s definitely true for me.

I was really worried that I was being punished because I talk about so many different topics on my site, and that I’d never make it back. But I noticed something while my traffic was low that gave me hope: many of the pages that ranked higher than me were really, really bad.

That told me that this wasn’t a policy change, but rather experimentation with something that would likely be fixed in the future for the benefit of users.

And that seems to be exactly what happened. I’m now up over 25,000 spots on Alexa, to sub-100K again.

Anyway, I hope this helps someone who might be going through something similar.

—

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

This is a Member-only episode. Members get the newsletter every week, and have access to the Member Portal with all existing Member content.

Non-members get every other episode.

Sign in

or…

—

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Anyone who’s been in business for a while has had the conversation about measuring performance. The topic makes some people radiate with joy and gives others a case of severe narcolepsy.

Here I want to talk about a few different business terms that are too-often conflated or confused, which are: Goals, Strategies, Metrics, Objective Key Results (OKRs), Key Performance Indicators (KPIs), and Key Risk Indicators (KRIs).

Standard in this context means that the system needs to be agreed upon by presenter and audience.

Goals are desired outcomes, e.g., increase sales, improve our hiring process, or increase profit by 35%.
Strategies are prescriptive plans or methods of achieving stated goals.
Metrics are standards of measurement that capture the efficacy, performance, or quality of a plan, process, or product. The term Metrics is quite general, and applies to any situation where the purpose is to keep track of progress against a goal. Examples include, Number of Sales, Revenue Generated, Accidents this Quarter, etc.

OKRs often have a single goal but multiple key results.

Objective Key Results (OKRs) combine both goals and metrics into a single system focused on simplicity and business alignment. The system works by filling in the statement,



“I will _____ as measured by ______.”



An example of an OKR would be a goal of “Improving Customer Service”, as measured by “Improving Positive Survey Results by at least 25%”.

KPIs feel like the weakest term here, because they’re really just a high priority metric for the business.

Key Performance Indicators (KPIs) are metrics for key business objectives, so you don’t want to call every business metric you have a KPI. Examples might include, Average Sale Per Customer (for a sales organization), Time to Resolution (for a customer service group), or Time to Remediation (for a security program).

Key Risk Indicators (KRIs) are designed to alert decision-makers that the risk level for some component of the business is nearing—or has crossed—a predetermined threshold of tolerance. Examples might include: the probability that a key hardware component will fail, the number of complaints per 1,000 customers, Reported Workplace Incidents, etc.

The main difference between Metrics and other terms is that some of the terms include objectives, which Metrics do not.

Key differences between measurements

Because so many of these sound similar, it’s important to call out the distinctions.

The difference between a Goal and a Strategy is that a strategy is a defined way of achieving Goals. Goals are the objective, and strategies are how to get there.
The difference between KPIs and KRIs is that KPIs are generally for positive elements, such as Sales per Employee—which you want to be high—while KRIs you want to keep lower than a certain threshold.

The “Key” part of KPI should remind you to limit their number.

The difference between KPIs and regular metrics is that KPIs are the things that—if you don’t do them well—the business is almost guaranteed to fail. You don’t want to make every metric a KPI, because if everything is critical then nothing is.

If a decision cannot be made as the result of consuming a given metric, ask yourself why you’re tracking it.

The difference between OKRs and KPIs is that OKRs are focused on both the objective and the success criteria, whereas KPIs are often tracked without defining what a good or bad number actually is (and those numbers can change).


Summary

Metrics are like Intelligence in that both are designed to improve our understanding of reality.

Regardless of the system, always remember that the purpose of measurement is to improve decision-making through a better understanding of reality.
Metrics are measurements of things that matter to help you make better decisions.
KPIs are your bussiness-essential metrics.
KRIs are operational-risk monitors to make sure you’re operating within risk tolerance.
OKRs are a combination of objectives and associated measurements.


Notes


My favorite article on OKRs Link

—

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

I normally write about security, technology, and how they interact with humans, but I’m making an exception here for a prediction on Game of Thrones.

I read a book recently called Superforecasting: The Art and Science of Prediction, and it talked about professional predictors of complex events. They get rated on how accurate they are, how much confidence they put into their predictions, and how much they miss by.

This text will not be modified after April 19th, 2019 other than what’s indicated in the notes below.

So I simply want to know how much I’ll miss by for specific predictions on how the story will unfold.

Characters

Basically, imagine the most heroic ends possible—with most people dying and a few random and tragic deaths—and that’s what we’re going to get.

Arya will probably live because she becomes part of the mystery and danger of the world, and Tyrion probably lives because he becomes the tragic hero that carries forth wisdom and kindness going forward.

Notes


Hat tip to Andrew Ringlein, who I’ve talked to dozens of times about this exact topic over the last 8 years or so. He’s read many other books by George R.R. Martin and believes that he has a predictable pattern of heroic story arcs. So I’m sure he’s influenced my thinking on this, but I think we disagree on a number of these outcomes.

—

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Human genius has always been something of a mystery.

Experts often cannot articulate how they know someething to be true.

When a world-class chef smells something—crinkles his nose and says it’s not right—there’s a good chance he doesn’t know what’s wrong with it. Malcolm Gladwell told us the story of an art expert who knew instantly that a certain piece was fake—but she was unable to give any reasons for this assessment. And it takes both training and experience for a terrorism expert to look at a city street and know if danger is imminent.

It’s often said that true geniuses tend to be bad at teaching their craft.

This gap between knowing and explaining gives the elite among us a magical aura. It’s as if the best among us are tapping into a river of divine knowledge, and they’re given the ability to execute—but not to understand.

When something has a hidden element that makes it special, we often use the French phrase, “Je Ne Sais Quoi”—which means, “that certain something…”

But science is now telling a different story—a more antiseptic tale of opacity and complexity. It tells us that we have one mind that does things automatically, and another that thinks slowly and rationally. It says the automatic part has access to more information, which it uses to make decisions before (and even without) our awareness.

They actually told her she got one wrong, but that patient turned out later to have the disease as well.

Another example of this is a woman named Joy Milne, who could smell Parkinson’s Disease. She smelled the shirts of 12 people and identified who had the disease before doctors could do so any other way.

But could she tell the doctors what she was smelling? No.

Just like a fighter can’t tell you exactly when they’re going to attack—or a veteran pilot can’t tell you why they’re making a thousand micro-adjustments while making a difficult landing—the answers simply appeared to them unconsciously, and they either reacted or answered without understanding the source.

So rather than wielding it, the best in the world experience their greatness, much like people watching from the outside. Their brains parse more sensory inputs than they can possibly have awareness of—faster than they can keep track of—and then produce answers that they often can’t explain.

The best in the world experience their genius more than they wield it.

Algorithms are also using graytone-sensitve cameras to detect cancer better than human experts.

The combination of multiple sensor types with machine learning will allow us to find patterns far more numerous and subtle than humans can find on their own. Just as dogs can smell drugs better than us, and Joy Milne can detect Parkinson’s better than most humans, the combination of spectral analyzers and ML will likely be able to “smell” many other diseases by simply observing your dirty clothes.

Sure, but why does this matter?

There are many who still see machine learning as statistics with an attitude, or as something that’s novel and noteworthy but not useful in everyday life.

First, we need to understand that the modern era for ML has just begun. Machine Learning goes back to the 1960’s, but never saw much practical success or attention until DeepBlue beat Kasparov in 1997. And even then we still thought it was nearl impossible to automatically identify objects within images.

It’s only within the last 10 years that we’ve made object recognition so approachable, beaten humans at Go, Poker, complex strategic video games, and developed the ability to generate realistic-looking human faces in real-time.

10 years, out of the 200,000 of our species, and the 150 of our scientific awakening. That’s a blip of extraordinary advancement.

Second—and much more important—is the fact that there are many things AI will be able to analyze that have always been elusive to humans. Things that matter.

Is this person lying to me?
Is this a good business deal?
Should I date this person?
Which city should I move to based on my values and skills?
What career should I recommend for my daughter?
What policy change would produce an economy that helps the most people?

Some of these questions can be answered by human experts, but the more complex the question the more questionable their accuracy.

It’d be like Joy Milne smelling 100,000 shirts at once, looking for 1,000 different diseases. When things become sufficiently complex, human sensory input and processing power become overwhelmed—resulting either no answer, or—and often much worse—the wrong answer.

The power of prediction within chaos

The most useful part of ML will likely be allowing us to glimpse the future in the form of real-time analysis and predictions. There are millions of situations where we as humans only get to guess about things that really matter, and ML will help us see deeper into those situations to make better decisions.

The “why” piece is harder right now, but there are promising paths for making the variables more transparent.

The chances of a start-up failing (and why)
How long is this relationship likely to last given our respective profiles?
The odds that someone is lying based on their tone of voice, facial expressions, and body language
The chances that a given street is dangerous, and adjust the recommended route accordingly
The chances that a contractor is likely to collect and steal internal documents from an organization
Predicting health outcomes given your current behavior
Chances of a given product in the field to fail within a certain time period

In short, the promise of Machine Learning is being able to capture not only what human and animal experts can currently do, but also to take that to an Nth level using the power of sensor technology and computing. The sensors provide an ocean of new inputs, with far more chances to find patterns, and the computing resources allow us to process all those new variables at blinding speed.

ML will allow us to see patterns and truths in daily life that would have otherwise been invisible.

It’s not about finding random patterns that nobody cares about. It’s about finding that certain “I don’t know what” in a business, product, interaction—that gives you the insight you need to make the best decision.

—

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Fear is toxic to creative thought.

It will rob you of courage, of your creativity, and of your passion. It will turn you into an empty and uninspiring version of yourself.

If you start thinking about something ambitious—and feel fear take hold—figure out where it’s coming from.

Peoples’ biggest regrets at death’s door are not the things they did, but the things they didn’t do.

If it comes from within, look into ways to deprogram that. If it comes from your manager or your company, start looking at options.

But never accept it.

To accept fear is to accept mediocrity.

Reject both, and be the version of yourself that you’d like to read about.

—

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Cyber Security—also called Information Security, or InfoSec—is arguably the most interesting profession on the planet. It requires some combination of the attacker mentality, a defensive mindset, and the ability to constantly adapt to change. This is why it commands some of the highest salaries in the world.

“Cyber” vs. Information Security

People who’ve been in Information Security for a long time tend to really dislike the word “cyber” being used in a non-ironic way to describe what we do. But we’re getting over it.

One of the most common questions in the computer security industry is the difference between Cybersecurity and Information Security. The short answer is, “not much”. But the long answer is, well…longer.

Essentially, “Cyber” is a word from pop culture that actually fit our digital future fairly well, with the merging of humans and technology and society. In the beginning, “CyberSecurity” was used as a way to glamorize or sensationalize computer security, but over time people started using it in more and more serious conversations. And now we’re stuck with it.

If I had to give any distinction today (2019) it would be that Cybersecurity is a bit larger in scale than Information Security.

Information Security has always had a tie to protecting data as a core part of its identity. CyberSecurity, on the other hand, includes more connotations around protecting anything and everything we depend on—including things like critical infrastructure.

my CyberSecurity blog posts

CyberSecurity is such a big field, however, that it’s useful to break it up into sections. I’ve done this over the 20 years that I’ve been writing about security, and here are some of the areas in security that you might find interesting.

Sales and marketing teams often conflate these definitions, leading to confusion in the industry.

Offensive Testing: When to Use Different Types of Security Assessments, The Difference Between Pentesting and Red Teaming, The Difference Between Threats, Threat Actors, Vulnerabilities, and Risks, The Difference Between Events, Alerts, and Incidents, Security Assessment Types





Security Tools: Shodan, Masscan, Nmap, Tcpdump, Lsof, iptables

My cybersecurity career guide takes you step by step through the process of building a security career.

Building a Security Career: Building a Career in Cybersecurity, Information Security Interview Questions, Cybersecurity Lacks Entry-level Positions





Security Philosophy: Secrecy is a Valid Security Layer





Security Concepts: Encryption vs. Encoding vs. Hashing, Information Security Definitions






Attack


Security Assessment Types

The Difference Between a Vulnerability Assessment and a Penetration Test

The Difference Between Red, Blue, and Purple Teams

A Masscan Tutorial

A Bettercap Tutorial

How to Use Shodan

When to Use Vulnerability Assessments, Pentesting, Red Team Assessments, and Bug Bounties

Purple Team Pentests Mean You’re Failing at Red and Blue

An nmap Primer




Defense


Obscurity is a Valid Security Layer

An iptables Primer

The Difference Between Events, Alerts, and Incidents

Information Security Metrics

Same Origin Policy Explained

Serialization Bugs Explained

A Security-focused HTTP Primer

Vulnerability Database Resources




Assorted


My Information Security Blog Posts

Information Security Definitions

The Difference Between Threats, Vulnerabilities, and Risks

How to Build a Successful Information Security Career

The Birthday Attack

Information Security Interview Questions

Encoding vs. Encryption vs. Hashing

Diffie-Hellman Explained

The Difference Between the Internet, the Deep Web, and the Dark Web

—

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.