Daniel Miessler's Blog, page 89

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week.

The NSA is releasing a free reverse engineering tool this year at the RSA security conference in San Francisco.

A lot of people are asking about the motive of the NSA releasing a free reverse engineering tool at RSA this year.

Theories include: it’s a backdoor, it’s a tracking mechanism, etc.

My opinion? Recruiting.

It’s a PR move to attract talent post-Snowden/ShadowBrokers.

— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) January 9, 2019

Many in the security community—who have an understandable and healthy distrust of the NSA—are wondering if there could be a backdoor in the software, if they’re using it to spy on people, etc. The various theories are interesting reading.

And reducing the loss of talent they already have.

I think the answer is much simpler—they’re using the release of the tool to inject some goodwill into the community in hopes of attracting new talent.

In short, it’s all about recruiting.

Between Snowden, the ShadowBrokers leaks, and the damage caused by EternalBlue and NotPetya, I’m guessing morale is at a dangerously low level and they need to do something to raise interest and motivation for working there.

Releasing an open-source tool to help people do reverse engineering, while simultaneously training people how to be good guys and gals is a pretty smart move in my mind.

The simplest explanation is usually the right one.

— Lesley Carhart (@hacks4pancakes) January 9, 2019

Someone mentioned on Twitter that the move reminded them of The Last Starfighter, where an alien spaceforce used a video game to find top talent to help defend the world. I think that’s spot on.

The hero plays a video game that’s actually a trainer

The military has been doing this for years as sort of an open secret, and they spend tons of money making the military and government appear in a positive light in Hollywood movies.

Some might think that’s gross, but I think the worst part about it is the fact that so few people notice—or would even care if they knew. It’s the same kind of thing here with this release. It smells exactly like public relations. But is that really a bad thing?

I wish they’d just come out and say it. Own the fact that it’s a bit of PR, and recruiting, and camaraderie all in one.

Despite the failings of the NSA in recent years, I don’t know many Americans who think we don’t need them. And to do their job well they need talent. And for that talent to perform they need to believe that they’re on the good side.

Or they’re Mr. Burns waiting to pounce—who knows…

I see the overture as a good thing. It’s them eating a piece of humble pie, and cautiously reaching out to the community with a gift. I hope we accept it, and I hope it makes the tenuous bond between us stronger.

Because like it or not, we need each other.

The last thing we need—with Russia and China owning us with impunity—is to be fighting amongst ourselves.

I recently stumbled onto a podcast with Scott Adams about border security, and what I learned from it not only surprised me, but also Scott Adams as the host.

I used to be a huge Scott Adams fan, but that went away when he revealed himself to be one who places his tax rate above the welfare of his community and planet. I still respect his writing and mind, however.

He brought on a guest named Brandon Darby, who’s a border security expert, and he did so presumably to get him to say he supported the wall on our southern border. What happened, however, was much more interesting.

The expert proceeded to completely obliterate Scott’s, Scott’s audience’s, and my understanding of the security situation on the border. Here’s a rough summary of what was said and what I learned:

Darby would not actually say if he supported the wall or not—much to the dismay of both Scott and his audience. This really surprised me, since Darby is a writer for Breitbart, and I just assumed the whole Breitbart cohort was pro-Trump and therefore pro-wall.
Darby’s opinion was actually far more nuanced than that. He said he was for security on the border, but that a wall by itself could absolutely not provide that.
Scott pressed him harder, and what basically came out was that Darby believed a full wall with full lockdown at every entry point would be better security for us—and better safety for the incoming migrants—than what we’re doing now, which is a highly-porous, partial solution—was far worse.
In short, open borders would be better security, and a full lockdown would be better security—and this half-measure that we’re doing now is causing a major portion of the problem.
Darby repeatedly showed himself to actually care about not only our security in the U.S., but the horrific situation for the migrants as well.
Basically, when the border is partially open, it encourages people to bypass security in unsafe ways. If it were completely open they wouldn’t have to and it would make things safer. And if things were completely locked down—at all ports, all airports, all entrances—then there would be enough of a deterrent to keep people from trying. But we’re stuck in the middle.
But the most interesting part came when Darby broke down the actual security situation in Mexico, and what the U.S. should be doing to fix it.
Essentially (talking from his position that I find compelling but am not enough of an expert to fully endorse), Mexico is a partially failed narco-state (his wording). They’re in extraordinarily bad shape, and that’s the cause of all the violence.
He believes the best thing the U.S. could do is declare a number of key cartels to be terrorist organizations, which would freeze their assets and cause them all sorts of friction that would help Mexico itself.
Basically, right now we’re letting the cartels do what they want, which removes the rule of law, which makes people desperate to flee to the U.S.
In short, if we really wanted to reduce the massive numbers of people trying to get here illegally, we’d help them regain control over their government and their country by putting pressure on certain cartels—which would bring the others in line.

I was blown away, and so was Scott.

He was so expecting to have this expert on to tell us how the wall was a good idea. And honestly, if he sounded credible, I would have changed my opinion. I’m open to reality model updates, which is the whole reason I listened in the first place—to hear the best opposing arguments to my current opinion.

And I got one, but not in the way I imagined. And it was remarkable.

Summary


A wall would not really help at all unless we did lots of other things along with it, which are definitely not going to happen.
The best solution is completely open or completely closed. It’s the middle ground that’s hurting us.
If we really wanted to help—at a strategic level—we’d use the State Department’s counterterrorism capabilities to help Mexico get the cartels under control, which would return Mexico to some state of normalcy and reduce the number of people risking their lives to come here.

For anyone who cares about this border security situation, I recommend you listen to this podcast with a willingness to change your opinion.

I’m glad I did.

Unsupervised Learning is my weekly show where I spend 5-20 hours finding the most interesting stories in security, technology, and humans, which I then curate into a 30-minute podcast & companion newsletter.

The goal is to catch you up on current events, show you the best content from around the web, and hopefully give you something to think about as well.

Subscribe to the Newsletter or Podcast

If you’re like me, you care if your website goes down.

There have been services available for years that monitor your site and let you know if it goes down. The one I’ve been using for over a decade is Pingdom, which is great. It gives you tons of advanced options like searching for text within probe responses, controlling where your probes come from, etc.

But the plan I had was around $15/month—which I found a bit pricey since I just needed basic monitoring.

Being an Amazon fan, and knowing that they seem to have an offering for everything, I started digging into whether I could create a simple monitor on their platform. And sure enough—you can—on Route 53.

Route 53 Monitor Geos

And the process is dead simple.

1) Log into your AWS Console and navigate to the Route 53 dashboard.

Adding a Route 53 Check

2) Configure your check based on your site attributes and preferences.

I recommend setting your check to the minimum of every 30 seconds, with all geos enabled, and set the threshold to a single failure.

3) Save your check configuration.

You now have a check that will monitor your site—every 30 seconds—and let you know via email if it ever goes down.

For $0.75.

Pingdom and the like are great for heavy lifting, but this more than does the job for me.

Nassim Taleb is making loud noises about how IQ is basically a big scam, and how it doesn’t mean anything. Like usual, he’s onto something, but also like usual his passion and snark is causing him to miss something major.

For the record, I think Taleb is an absolute genius. I’ve read all of his books, and some of them multiple times.

He’s basically saying that you can have a super high IQ and not be famous and rich like he is, which is of course true. His examples were highly-paid back office people at major investment companies. In his mind, losers, evidently. Of course they’re probably making between 200-500K/year.

So guess what? Yes, IQ should matter—to most people. Why? Because it’s correlated with academic success and therefore income. Ask most parents if they care about those things.

7) I put "IQ" in "" as I don't believe that measured IQ includes ability to tinker aggressively, real IQ for me. #GreenLumber #AntiFragile

— Nassim Nicholas Taleb (@nntaleb) March 11, 2017

Now if you’re Nassim Taleb, or the head of an art gallery, and you are being asked to pick your new best friend, or book author, or top poet, does IQ matter that much? No. He’s clearly focused on creative hackers and innovators. Because that’s what he values.

But if you’re trying to predict if someone is going to be a lawyer, or a doctor, or an engineer, or lots of major careers that make decent money, you can do much worse than looking at their IQ score.

IQ is not a cognitive worth score. Or a “does this person have value” score. Or even an intelligence score. It’s a very specific type of test for a very specific type of performance, and that type of ability happens to be correlated strongly with outcomes people really value.

So Taleb is simultaneously right and wrong. It all depends on the question you’re trying to answer. The thing you’re trying to predict.

If you are trying to predict if someone is going to be a remarkable artist, or a great friend, or a moral hero—no it doesn’t matter. But if you’re trying to predict future success in school and in the workforce, in terms of income, it’s a pretty strong signal. So for some it means nothing, and for some it means quite a lot.

I also find it hilarious when famous people who get noticed for bashing IQ almost inevitably have high ones. I’d bet Taleb’s score is way over 120. It’s pretty easy (and common) for people with high intelligence to talk about how little it matters. It’s like privilege in that way, well, perhaps because it is one.

Summary


Yes, IQ matters (to a lot of people) because it strongly predicts academic success and income.
No, that is not a measure of a person. Creativity matters. Kindness matters. And IQ measures a fairly limited number of things about a person’s mental capabilities.
Taleb is right if he’s attacking people who think IQ is some kind of magical thing that guarantees you’re a genius. It doesn’t.
But he’s wrong if he’s saying we should throw it out as uninteresting and unworthy of study.

Few things are more annoying than being stuck inside a bad UI, and withinin virtualization environments is a common place for that to happen.

Here’s how to do the three-finger-salute inside VMware.

Regular: Ctrl+Alt+Del
Full-sized Mac keyboard: FwdDel+Ctrl+Option (Delete below Help key)
Abridged Mac Keyboard, Fn+Ctrl+Option+Delete

So the biggest story for my site’s traffic in 2018 is the Google Algorithm Changes that I wrote about here.

It was a bloodbath, basically.

I am currently at 50% of my traffic as compared to the beginning of 2018. But I’m hoping that’ll re-adjust as Google tries to figure out who has authority on various topics and who doesn’t.

Here’s some browser data—with Chrome still dominating.

And here’s some social media numbers.

Overall I still had way over 2 million pageviews, so it was still a good year. But I can’t help but feel like the year was a bad one due to losing 50% of my traffic starting around July.

I really hope Google re-adjusts and brings me back to my former levels—and hopefully even more given the work I’ve been doing on cleanup.

Short answer: it’s a trick question. Privacy is part of security.

But just because one is part of the other doesn’t mean they are the same. There’s a nuance there that’s important.

The word “security” is shorthand for “information security” or “cybersecurity” in this parlance.

Information Security is about controlling access to information.
Privacy is about making sure users’ expectations about use of their personal data are reflected in the real world.

These are extremely similar, but not identical.

The main difference is that with security the policy for protection and use is a given, and with privacy it’s a conversation with the user.

Both are about avoiding misuse of data. The difference is in one component—the policy, i.e., the expectation of how information is supposed to be used.

With Privacy, this is an important point because that needs to be captured from the user at various points in the lifecycle of a product or service.

With the larger Information Security field, this expectation of protection and use component is given to us as an explicit policy at the beginning. These people can do this with this data, these people cannot. Etc.

That’s really the difference.

So don’t listen to anyone who says they’re either completely different or completely the same. It’s more nuanced than that.

Both are about protecting information from violating policy—which is information security. Privacy just involves gathering that policy from the user as part of the process.

I’ve mentioned this in numerous places for the last few years, so I decided it was time to finally put it into a formal piece.

It seems obvious at this point that China is building a massive database of information on American individuals and companies, which they can then use for various purposes—including espionage, intellectual property theft, extortion, and other types of coercion.

2/3 of the intellectual property theft cases that the Department of Justice deals with come from China

Here are some of the attacks that have been linked to China with some significant degree of confidence.

OPM: The attack on the Office of Personnel Management was perhaps the worst breach in history in terms of espionage, as what was stolen was the background investigation files for most everyone in the United States with a security clearance. So—just to spell it out—China now has all the dirty laundry for Americans serving in the most sensitive positions in our military and government. Link
Equifax: Most of the credit files, and associated financial information, for a massive percentage of the American population. Link
Marriott: The Marriott breach captured millions of files on people who travel a lot for business. Link

CYBERWARFARE BY CHINA

Seeing any patterns yet? Here are some more.

China is the single greatest risk to the security of American technologies.

Congressional Advisory Group

Google and 34 other companies in 2010, including Northrop Grumman, Symantec, Yahoo, Dow Chemical, and Adobe Systems.
Navy Contractor, 2018 Link
China using LinkedIn to target people inside high-value companies, 2018 Link
Sandia National Labs, 2004 Link
Congressman Wolf, 2006 Link
Commerce Department, 2006 Link
F-35 Program, 2009 Link
Think Tank/Law Firm Associated with a Chinese Fugitive, 2017 Link

And this is just a fraction of what’s out there.

Basically, they’re building an organized database of stolen information that they can use to beat us economically and militarily in the long-term.

I’d like to be mad at them, but I’m not really. They have a mission, and that’s to win the game over the span of decades and centuries—not tomorrow or the next day. They’re strategic and they’re unified.

I wish the US were so organized and cohesive. I really do.

But just because I respect what China is doing, or at least the fact that they’re conscious enough to be doing it to further their unified goals—doesn’t mean that I have to like it.

And here’s a great prediction for 2019 from Chad Loder:

2019 security prediction: A major breach involving one of the DNA testing sites, with China as the likely culprit.

— Chad Loder ❇️ (@chadloder) January 1, 2019

You see the stuff they have already:

Background investigation information for our most sensitive people
Our credit files
Our business travelers
A list of who works at what companies, doing what

Now add a hack of a DNA database to that list. Imagine them having partial (and eventually full) genome information on these same people. Of course right now there aren’t too many practical attacks one can launch using that information, but they did just arrest someone for making CRISPR babies.

This stuff is pretty far off, so don’t think we’re close to bio attacks that only kill certain people. That’s fiction today, and probably will be for quite some time.

The whole technological world is working on personalized medicine right now. And with personalized medicine will inevitably come personalized weapons. I’m not sure how far off those practical attacks are, but I can tell you the answer is not far enough.

But even without personalized weapons based on a DNA breach, the idea that a highly organized and highly trained state-level adversary is actively building these kinds of databases on us, and using that information however they can to secure victory—that’s just extremely frustrating, and exhilarating, and surreal, all at once.

It’s asymmetric in so many ways.

We don’t even have that much information on our own citizens, but it’s being gathered and organized by a hostile government to be used against us. And, even crazier, we wouldn’t be allowed to have that much data in one place if we could do it technically.

I think the possible exceptions are data broker companies, like Acxiom, Nielsen, Corelogic, etc. There’s little doubt in my mind that they’re actively trying to compromise other data brokers like them who have the specific mission of collecting and linking information together on individuals.

Those have to be extremely high on their list of targets.

Summary


China is owning us with impunity, and they’re building massive databases to help them target high-value individuals and companies for information and/or leverage
Most people aren’t aware of this level of organization and strategic, long-term thinking on their part, and they should be
I’m not sure how to fault them for doing this, other than to point out that much of it is illegal. The fact is that this is the new reality for warfare, so every nation should probably have some similar capability
If you want to know where the shoe hasn’t dropped yet, look at DNA Databases, Data Brokers, and Law Firms. Those are places that have deep data, unified data, and sensitive data that would go a long way towards enriching what they already have.

It’s time to get in this game, becuase right now China is not only playing (and winning) without us: they’re doing so without most people even knowing.

Notes


Image from e-hacking news.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel