Daniel Miessler's Blog, page 90

Short answer: it’s a trick question. Privacy is part of security.

But just because one is part of the other doesn’t mean they are the same. There’s a nuance there that’s important.

The word “security” is shorthand for “information security” or “cybersecurity” in this parlance.

Information Security is about controlling access to information.
Privacy is about making sure users’ expectations about use of their personal data are reflected in the real world.

These are extremely similar, but not identical.

The main difference is that with security the policy for protection and use is a given, and with privacy it’s a conversation with the user.

Both are about avoiding misuse of data. The difference is in one component—the policy, i.e., the expectation of how information is supposed to be used.

With Privacy, this is an important point because that needs to be captured from the user at various points in the lifecycle of a product or service.

With the larger Information Security field, this expectation of protection and use component is given to us as an explicit policy at the beginning. These people can do this with this data, these people cannot. Etc.

That’s really the difference.

So don’t listen to anyone who says they’re either completely different or completely the same. It’s more nuanced than that.

Both are about protecting information from violating policy—which is information security. Privacy just involves gathering that policy from the user as part of the process.

I’ve mentioned this in numerous places for the last few years, so I decided it was time to finally put it into a formal piece.

It seems obvious at this point that China is building a massive database of information on American individuals and companies, which they can then use for various purposes—including espionage, intellectual property theft, extortion, and other types of coercion.

2/3 of the intellectual property theft cases that the Department of Justice deals with come from China

Here are some of the attacks that have been linked to China with some significant degree of confidence.

OPM: The attack on the Office of Personnel Management was perhaps the worst breach in history in terms of espionage, as what was stolen was the background investigation files for most everyone in the United States with a security clearance. So—just to spell it out—China now has all the dirty laundry for Americans serving in the most sensitive positions in our military and government. Link
Equifax: Most of the credit files, and associated financial information, for a massive percentage of the American population. Link
Marriott: The Marriott breach captured millions of files on people who travel a lot for business. Link

CYBERWARFARE BY CHINA

Seeing any patterns yet? Here are some more.

China is the single greatest risk to the security of American technologies.

Congressional Advisory Group

Google and 34 other companies in 2010, including Northrop Grumman, Symantec, Yahoo, Dow Chemical, and Adobe Systems.
Navy Contractor, 2018 Link
China using LinkedIn to target people inside high-value companies, 2018 Link
Sandia National Labs, 2004 Link
Congressman Wolf, 2006 Link
Commerce Department, 2006 Link
F-35 Program, 2009 Link
Think Tank/Law Firm Associated with a Chinese Fugitive, 2017 Link

And this is just a fraction of what’s out there.

Basically, they’re building an organized database of stolen information that they can use to beat us economically and militarily in the long-term.

I’d like to be mad at them, but I’m not really. They have a mission, and that’s to win the game over the span of decades and centuries—not tomorrow or the next day. They’re strategic and they’re unified.

I wish the US were so organized and cohesive. I really do.

But just because I respect what China is doing, or at least the fact that they’re conscious enough to be doing it to further their unified goals—doesn’t mean that I have to like it.

And here’s a great prediction for 2019 from Chad Loder:

2019 security prediction: A major breach involving one of the DNA testing sites, with China as the likely culprit.

— Chad Loder ❇️ (@chadloder) January 1, 2019

You see the stuff they have already:

Background investigation information for our most sensitive people
Our credit files
Our business travelers
A list of who works at what companies, doing what

Now add a hack of a DNA database to that list. Imagine them having partial (and eventually full) genome information on these same people. Of course right now there aren’t too many practical attacks one can launch using that information, but they did just arrest someone for making CRISPR babies.

This stuff is pretty far off, so don’t think we’re close to bio attacks that only kill certain people. That’s fiction today, and probably will be for quite some time.

The whole technological world is working on personalized medicine right now. And with personalized medicine will inevitably come personalized weapons. I’m not sure how far off those practical attacks are, but I can tell you the answer is not far enough.

But even without personalized weapons based on a DNA breach, the idea that a highly organized and highly trained state-level adversary is actively building these kinds of databases on us, and using that information however they can to secure victory—that’s just extremely frustrating, and exhilarating, and surreal, all at once.

It’s asymmetric in so many ways.

We don’t even have that much information on our own citizens, but it’s being gathered and organized by a hostile government to be used against us. And, even crazier, we wouldn’t be allowed to have that much data in one place if we could do it technically.

I think the possible exceptions are data broker companies, like Acxiom, Nielsen, Corelogic, etc. There’s little doubt in my mind that they’re actively trying to compromise other data brokers like them who have the specific mission of collecting and linking information together on individuals.

Those have to be extremely high on their list of targets.

Summary


China is owning us with impunity, and they’re building massive databases to help them target high-value individuals and companies for information and/or leverage
Most people aren’t aware of this level of organization and strategic, long-term thinking on their part, and they should be
I’m not sure how to fault them for doing this, other than to point out that much of it is illegal. The fact is that this is the new reality for warfare, so every nation should probably have some similar capability
If you want to know where the shoe hasn’t dropped yet, look at DNA Databases, Data Brokers, and Law Firms. Those are places that have deep data, unified data, and sensitive data that would go a long way towards enriching what they already have.

It’s time to get in this game, becuase right now China is not only playing (and winning) without us: they’re doing so without most people even knowing.

Notes


Image from e-hacking news.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I saw a tweet recently by Robert M. Lee—a highly respected ICS Security professional in the industry.

When folks put “ICS” in the category of “IOT” it conflates the systems, purpose, value, and risks of separate communities. There’s important differences between a robot arm in a car manufacturing plant and your internet connected doll even if both have default passwords.

— Robert M. Lee (@RobertMLee) January 2, 2019

I am a mid-tier ICS Security person, by the way. I’m experienced with it, and an expert compared to most security people, but I’m a non-expert compared to the people fully focused on it like Robert.

I see his point, and I think it’s valid, but I worry that some people who are not experts in IoT or ICS security might not get the nuance. The part I want to quibble with is this bit:

When folks put “ICS” in the category of “IOT” it conflates the systems, purpose, value, and risks of separate communities.

Robert M. Lee

I almost completely agree with this statement—but with a caveat.

Basically, I do believe that ICS is a category of IoT—if you define IoT a certain way. As usual, so many of these discussions come down to definitions. And this isn’t going to be a rant about how my extremely detailed and specific definition is the most accurate, and how Robert’s or anyone else’s is specifically and technically incorrect.

I think we actually need to head the opposite direction when it comes to these definitions and discussions. I think the definition we should be using for IoT, when we’re talking with non-experts and the public at large is something like, “The process of connecting everyday objects and systems to networks in order to make them globally available and interactive.”

For most people, IoT can best be thought of as the process of connecting everyday objects and systems to networks in order to make them globally available and interactive.

I believe this definition does a lot of work for us.

Most importantly, it unifies the risks around everyday IoT, ICS, and IIoT. It makes it clear that the primary source of risk for all IoT is the fact that there are many sensitive things that happen in this world, and that it’s inherently a really big deal to start connecting those functions to networks.

Even the Internet of Shit can be dangerous if it’s insecure and grants access to something or allows an attacker to steal resources, e.g., the fish plaque connected to the cloud that grants access to your network.

This is true of car robot arms, baby monitors, thermostats, and almost every type of IoT we one can imagine. That is the unifying component—going from analog to digial, from isolated to connected, and from static to interactive.

Now, that being said, I absolutely agree that this unification has limits, and that—like Robert said—it’s simultaneously critical to make distinctions between the various types of IoT. But once we accept what’s similar, I think it’s easier to make those lines clearer for people.

I think it comes down to magnitude of impact assuming something were to go wrong. If your fish plague gets compromised, an attacker might use your bandwidth to create fake ad clicks, or they might try to pivot and install ransomware on your systems at home.

But if a major dam’s SCADA system is compromised, well, millions of dollars of property could be lost, people can be hurt and killed, and it can have a major effect on livelihoods and economies. That’s a major difference worth calling out.

So I guess what I’m saying is that perhaps we should use a broader, more approachable definition of IoT that unifies underneath the basic concept of old=disconnected=lower risk, and new=connected=higher risk. And then from there we can make the separations within IoT of the types according to impact. Perhaps something like the following:

A conceptual differntiation between IoT, Consumer IoT, and Industrial Control Systems

Eager to hear any feedback.

I think the distinction is minor, but important.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

January always feels fresh to me—a chance to be better. But at the same time, it’s really just a day after the end of December. This is why I don’t do New Year Resolutions. Basically, if you wanted to do that thing bad enough, you would have done it already.

But that’s for things that you can do and start at any moment that you want to continue doing, like eating better, or getting more exercise. The things I like to do in January are different: they’re annual activities that—as the name implies—you only need to do once a year.

Here are mine:

Rotate Passwords: This one is pretty obvious, but for your top accounts you should probably be rotating at least once a year. It’s also a good time to make sure your 2FA settings are solid, and that your recovery options are correct, e.g., phone numbers, backup emails, etc.
Make Sure My Backups Are Solid: This should be higher in the list, but I do all of them pretty much simultaneously so it’s not a big deal. Making sure you have your most important data backed up is something you want to do at least once a year. I recommend a hybrid strategy of cloud plus local storage. So you have most of your backups in your favorite cloud system, and you have a copy of it on a set of hard drives (or a NAS) that you update at least once a year.


Reorganize my Feedly Account: Feedly is my top news source, and it’s critical that it says in good shape. Things I do here include trimming categories, pruning sources, and revisiting settings and options. This year I removed tons of categories and got it down to Favorites, InfoSec, Ideas, and News—all while removing tons of dead and broken sources.
Clean up my Twitter Account: Twitter—as much as it’s become toxic in recent years—continues to be the best window into my professional world. It’s sad to write that, but I think it’s still true. Every year I adjust my lists, take a look at my profile pic, profile text, settings, and who I’m following. This year I pruned lists by half (consolidation) and didn’t make too many changes to who I’m following.
Revisit Reddit: Reddit is my view into the wider world, and every year I take a look at my settings and subreddits. I didn’t make any changes this year, but I did look at some of the new settings and client options and made some tweaks.

I just finished my tweaking and it feels quite nice.

I recommend you do the same.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I’m a life-long Bay Area resident—born and raised—and I’m starting to see transformations in various communities that are setting off my dystopian spidey senses.

Basically, I’m seeing stark and disturbing differences between communities that are just a few miles from each other. I’ll take the Newark / Fremont area as an example, since I’m familiar with it, but I’ve seen this type of thing throughout the Bay Area over the last several years.

Dead Zones


If you go to run-down cities, like Newark, there are often homeless everywhere just wondering around like zombies. I’ve lived there since the 70’s, and within the confines of anecdote I can say it’s never been like this. Perhaps there was homeless before, but it wasn’t nearly as acute or visible.
Restaurants in these places are typically ghost-towns, with very few wait staff and virtually no interest in customer service. I often go into restaurants in Newark, San Bruno, and other similar areas where the staff might not even acknowledge you when you come in. And even then, it’s not a direct address—more like a chore that must be done. I would be mad about it, but it’s not their fault. Management has cut staff dramatically and put much more load on each person working—and without more pay.
The bathrooms in these towns are often splattered in urine and feces, with tons of graffiti on the walls. And toilets are often out of order, missing toilet paper, etc. Again, when mentioning this fact to the staff, they stare back at you with dead eyes and you realize you’re an asshole for even bringing it up. Their lives are infinitely more difficult than mine, and I’m acutely sensitive to that.
I was in a Starbucks in Newark yesterday (my hometown) and there were four homeless people camped out inside the store. The man next to us smelled so bad that we and other customers had to actually cover our noses to work nearby. It was the smell of fecal matter rotting on skin. He was rigged up with three extension cords and multiple gaming consoles just playing away for hours. I asked management about the smell, mentioning that the guy (a white guy probably in his 50s) seemed nice enough but he was disrupting the entire place, and they said he could do nothing whatsoever. And again, I felt like a horrible person for even talking to someone about it. If someone is in a bad enough spot to spend their time in a Starbucks, after not showering probably for days or weeks, then who am I to complain about my cafe experience?
The people in the cafes and businesses in these towns tend to seem beaten down, frayed, or otherwise downtrodden. Alternatively, they appear to not be participating in the rat race, e.g., they’re gamers or retires or high school kids not particularly focused on college.

After enough of these really negative experiences of seeing abject poverty and suffering—not just recently but over the last few years—I hear myself saying internally that I need to start going to “nicer” places. You know, places where there won’t be people stinking up the entire place because they decided to not participate in society (I know a lot about that particular person, and he’s definitely making that choice). Or another local guy with obvious drug problems with a suitcase worth of stuff strewn about his table.

I define a Star Trek liberal as someone who thinks the goal is to live in a society like that of Star Trek The Next Generation, i.e., highly diverse and focused on art and scientific exploration rather than materialism.

The problem is I feel bad for thinking this way. I am a Star Trek Liberal—again, born and raised in the Bay Area. I was not raised to run away from suffering, to run to the richer areas where I feel comfortable all the time. That’s why I drive from San Francisco where I live and work, to Newark (a 40-80 minute drive) to spend my free time. It’s home.

The idea of writing off my old stomping ground to head for more refined communities is repulsive to me.

But let’s talk about those places real quick, just to see the differences.

Thriving Areas


I’ve noticed that nice places are basically anywhere with a Philz coffee, Apple Store, or Whole Foods nearby (with a few exceptions like San Francisco proper).
The people in coffee shops there are younger, more Asian, and obviously very focused on either preparing for college, doing well in college, or kicking ass in their new careers. They’re basically high-grit people with educated parents or parents that highly value education for their kids.
The other types of people in these nicer communities’ cafes are 20s to 50s entrepreneurs meeting to talk about their businesses and their ideas. In these nicer areas I’d guess roughly 10% to 50% of the clientele at any given time are these types.
The staff in the restaurants are more attentive and courteous—no doubt due to the fact that they are working more for something to do and some side money, and not to support a family in an impossible situation.
The restaurants and businesses are well-kept, with functioning restrooms not covered in filth.
The streets, gas stations, and general infrastructure is more clean and presentable.
The people you see in stores and businesses and cafes are vibrant and energetic, and seem to obviously have some measure of optimism for their futures.


Polarization

The Anaphase step in Mitosis

What interests me about this situation is not just saying that some places suck, and some places are nice. That’s both rude and obvious.

What matters more to me are 1) the reasons this is happening, and 2) how this dynamic will continue to unfold over time. To me those two are strongly related, as I think they both share polarization, i.e., the bad places getting worse, and the nice places getting better.

This is where the dystopia comes in.

There are now indications that this investment could be slowing.

My hometown of Newark has two main shopping areas, and they’re both completely taken over by Chinese businesses at this point. Like, completely. Of course there’s nothing wrong with Chinese businesses, but there’s a play now for Chinese business interests to find decapitated spots in the Greater Bay Area and to just move in and take over.

That doesn’t sound positive for me. Not because of any crazy conspiracy or anything, but just because it’s the clearest sign that what existed before wasn’t strong enough to survive on its own. It’s a clear indicator of decline when a single force (like Chinese tea shops) can come in and replace most of your local businesses in a matter of moments.

So that’s one side: your businesses get hollowed out and replaced with new money from the outside. The infrastructure basically rots. There’s garbage everywhere. There’s either far more homeless, or they are forced into the streets. There’s no customer service because you can’t pay good people enough to work there and management has to cut costs by hiring fewer people. And the schools are bad, so none of the highly-education focused Asians want to live there to raise their families.

That spells the end of (or at least a prolonged decline of) cities like Newark in my mind. But it’s not just Newark. It’s all up and down the East Bay coast. San Leandro, Hayward, most of San Jose, etc. They’re epicenters of suffering, full of people basically resigned to a third-tier existence.

Enter the green zone

And then, right next door, you have these little thiriving areas. Cupertino. Palo Alto. Parts of San Francisco. Walnut Creek. Pleasanton. And many other small enclaves of the successful.

What fascinates me is how aware of the poor areas these places are. They know how bad it is out there. And they know they live in the nicer area. And while it’s hard to be inside someone’s mind, I can’t help but thinking that they’re protecting their spots. They’re gatekeeping, whether consciously or not—to keep out the riff-raff.

So you wouldn’t go into a Starbucks in Walnut Creek and find a homeless white guy playing video games all day while chasing out customers with his smell. That wouldn’t happen. They’d kick him out as soon as someone complained—if they even allowed him in.

The streets are cleaner. The gas stations don’t have as many gang signals carved on the pumps. More of the population is educated. And the schools are better.

So all the rich—and by rich I mean well-paid tech workers and other professionals mostly—all move there to start their families.

Dystopian Gravity

My real problem is what seems to be coming as a result of this stratification.

$16/hour is $32K/year, which is less than it costs to live in many places in the Bay Area

Service Workers can’t afford to live in most of the nice areas in the Bay Area. Hell, many of them have to come in from out in the desert, like Fresno and Modesto. But at the same time, the nice areas need cooks, and waiters, and cleaning staff.

It seems obvious that some sort of eventual solution will be something like servants quarters: areas of the nice parts of town that are designated for the help. None of the nice folk will go over there, and the people who live there will know they’re not welcome in the city unless they’re working. It’ll be a nice little arrangement. Right up until somoene (like me in this piece) realizes how goddamn disgusting it is.

We’re building a Red Zone / Green Zone situation. Right here in the Bay Area. Right now.

The only thing we’re lacking is checkpoints around the Green Zones to make sure people from the Red Zone are allowed in to do some work for the educated folk. You think that sounds crazy—and it does—but places like New Orleans are already hiring private security forces to protect nice areas. And numerous neighborhoods are investing in private security to keep out the undesirables.

I think this massive income disparity, the destruction of the middle class, and the polarization of neighborhoods into rich or poor is going to have a major effect on people. I think it’s going to inject a social discord and fragility into our overall society that’s going to be extremely unhealthy.

I wish I had answers, but ultimately I think the cause is the changing nature of work. There are basically fewer and fewer types of jobs that pay lots of money, and they can only be filled by people with certain gifts or lots of luck. And the other 90% will mostly be stuck with service work that barely pays livable wages even outside of the Bay Area and similar places.

That employment and income difference is what’s powering this entire thing, and like a fresh wreck on the freeway it’s both tragic and hard not to notice.

If you’re a student of this type of phenomenon, and/or live in the Bay Area, hit me up below or directly and tell me what I got right and wrong here. I’m eager to better capture the problem so we can start exploring solutions.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I was doing the Twitter thing recently, and someone was talking about red teaming and I had an epiphany: Vaccination and Red Teaming are extremely similar.

Or at least they should be.

Here are some similarities:

The main purpose is to strengthen the defenses
It’s done by exposing defenses to the bad stuff
Its effect weakens over time, so you have to keep doing it
People who refuse to do it are more vulnerable to real attacks
The closer the exposure is to the real thing, the better
Various groups mandate them, and various groups fight that mandate

These are pretty striking to me.

There is some argument that most people just use regular old attacks, however.

The regulation angle is fascinating as well. All sorts of security standards require that adversarial testing is performed, but very few testing practices can actually mimic the type of attackers that are likely to come after a given target—especially for high-level attackers.

The problem is that real attackers are diverse, and use diverse toolsets, and I’d argue those are more varied (and tame) than the TTPs of security testers. And that in turn results in less immunity to the real stuff when it happens.

So that’d be something like immunizing for a Flu strain we saw in 1994, knowing that what’s coming next year won’t look much like it. Anyway, I’m not sure how deeply the analogy holds, but I think it is quite strong as a metaphor.

Basically, if you’re not emulating real adversaries to your WHATEVER then you’re more likely to be blindsided when they actually show up.

Be ready.

Summary


Both red teaming and immunization is based on exposure to real threats.
Both weaken in effectiveness over time and therefore require periodic re-applicaiton.
Both are being mandated by various groups, and are being carried out with varied levels of effectiveness.
Both have detractors who refuse to participate, and who leave themselves in weakened states as a result.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

If a rat is experimentally injected with infectious bacteria, it behaves a bit like I did after the dentist. It withdraws from social contact with other animals; it doesn’t move so much; its sleeping and eating cycles are disturbed.

In short, infection reliably causes a syndrome in animals — called sickness behavior — that is roughly recognizable as akin to the human experience of depression. In fact, you don’t even need to infect a rat to see this sickness behavior. It is enough to inject the rat with cytokines, proving that it is not the germ itself that causes sickness behavior but the immune response to infection.

Inflammation directly causes depression-like behaviors in animals — that is beyond doubt.

Source: The Link Between Inflammation and Depression – Member Feature Stories – Medium

I think this link—if it proves valid—will end up being one of the biggest breakthroughs in mental health in decades. Perhaps equal to the idea that much of our mental functioning takes place in our subconscious.

Last year I created a calculator for determining how depressed you’re likely to be, which also serves as a recommendation engine.

The quote from this article is just remarkable: you can produce depression in animals by challenging their immune systems. Now think of the depressed people you know. How many of them are physically active and eating good foods? How many of them have dental health issues?

In other words, how much of our current depression epidemic is associated with or directly tied to a state of immune system irritation?

Now ask a different question: how many people do you know who eat healthily—with lots of fresh vegetables and very little fast/junk food and who get lots of exercise—are depressed?

There are many causes for depression, so of course it’s possible to be a paragon of physical health and still be depressed.

Anecdotes are not data, but I don’t think I know any. Most are either horrible eaters, obese, sedentary, or all three. The first twenty of these studies I ignored as background noise, but the evidence seems to be adding up. I find it quite fascinating.

I still feel like it’s early in this area of research. And I’m not a doctor so I don’t feel comfortable being certain about these types of things. But here’s what I will say: if you’re in a bad spot, or know someone who is, there seems to be very little risk in entertaining this emerging theory around inflammation.

Consider looking at your diet, dental care, and other sources of inflammation, and then getting serious about exercise.

I think this is likely to (if these studies stand up to scrutiny) become the new standard for not just good health—but good mental health as well.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

Starting around October 1st I saw something catastrophic happen to my incoming traffic from Google.

Compared to the beginning of the year I have gone from around 10,000 pageviews a day to around 5,000—a 50% loss in traffic.

Once I noticed (which took a while), I started reading a ton of articles on all the various potential causes. Finally, after finding a few good ones and talking to my friends in the SEO business, I think I now have a good idea of what happened.

Keep in mind this is still theory, so I could find out at any moment that I was wrong.

Google released a number of major algorithm updates in the latter part of 2018. And at least one of them focused on what they’re calling Your Money or Your Life, which they abbreviate to YMYL.

Basically, they’re specifically trying to find—and punish—sites that make false claims about things that matter. And one of the ways they’re doing that is by trying to judge a site’s authority on particular topics.

Be sure to review Google’s SEO Guidelines.

There’s another tangent to this, which is a concept called “staying in your lane”. So if you’re a lawyer specialized in European Privacy, and you start going off about the Higgs Boson and how everyone’s wrong about string theory, well, Google might conclude that you’re talking out of your ass. The implication is that your overall trust ranking will fall as a result.

And that brings us to me and this website.

The other thing Google focuses on is called E.A.T—expertise, authority, and trust.

I’m a security guy. IoT Security. Application Security. I’m learning more and more about AI and ML, and have smart (but cautious) things to say about those topics.

But I also write extensively about things that have nothing whatsoever to do with security or technology.

Philosophy
Futurism
Politics
Creativity
Happiness
Etc…

To make things even worse, I also do a show called Unsupervised Learning, which is a podcast and newsletter about “Security, Technology, and Humans”.

An excerpt from a recent newsletter

It’s all over the place. I go from Chinese espionage plots to potential cures for cancer, to the future of work, to fiction book reviews.

I don’t think Google has any idea what to do with the site.

The obvious fact here is that both of these campaigns: “Your Money or Your Life” and “Stay in Your Lane” are coming from the urgent need to combat fake news. They’re looking for multiple ways to get there.

If I were building solutions to do this I’d be doing something like this:

Find out what an author is talking about


Parse their content and do topic analysis

Rate their authority on each of their topics


Look at inbound links
Evaluate samples of their factual claims in topic
Look for credentials on LinkedIn and About pages
Make sure they’re standing behind their claims

Lower the rankings of sites who score badly

I get it. It makes sense. And I admire them for doing it, because it’s a matter of literal national and global security.

The problem is that sites like mine seem to be getting destroyed in the process. And it’s clear why that’s the case.

If a site is talking about many disparate topics—especially in an open and tentative way—it’s extremely difficult to tell the difference between a solid but curious intellectual and a complete idiot. So they bring the SERP hammer in both cases.

For Google, their ideal (trustworthy) site is one that talks about one thing and one thing alone, and does so with good sourcing, with clear authors who have their backgrounds right there in the open, and that never branches into topics they’re not experts in.

Again, I get that. But that’s no way to be an intellectual. Not for me anyway. I find the world fascinating, and I’m going to talk about it. For a number of reasons I am going to be more careful with claims in some cases, more careful to add sources when the argument is helped by data, etc.—but I can only flex so far.

This site is fundamentally a personal project. It’s where I learn, and then organize and share what I learn. And I learn by consuming and thinking (out loud, on “paper”).

So I’m not sure how screwed I am. It could be that I have permanently lost half my traffic—or maybe that’ll continue to fall.

But what I hope is that Google will eventually figure out that people like me exist, and that sites like mine exist, and they’ll adjust their Fake News algorithms to take them into account.

One friend of mine—Thomas Zickell—believes that the answer is hub pages, where you make your categories super clear to Google through top-level navigation. This way (the theory goes) Google can clearly see that you have multiple lanes, and will hopefully judge you independently for each of them.

So ideally you could then rank extremely high for areas where you’re a careful expert, and where you have unique and creative thought, and then less high (or not at all) where you’re just riffing on ideas outside your expertise.

I’m betting that’s what Google is working on solving, and that these first swipes of the sword in 2018 were basically emergency efforts to get the house in order.

If you know anyone at Google who might know about this, please let me know.

If I had to guess, I’d say that 2019 will see a number of adjustments to those initial efforts that are designed to bring multi-discipline sites back into focus without opening the gates to the garbage that used to rank well for the wrong reasons.

Meanwhile, I’ll be working on other SEO hygiene trying to get some of my traffic back while they figure it out.

Notes


The other thing I’ll be trying in the meantime is making my overall content categories more clear in the top navigation.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

For people looking to get into reverse engineering, the barrier to entry can be fairly steep—starting with the terminology. Here are the differences between a few key tools of the trade.

Decompilers reverse binaries into higher-level languages, like C++.
Disassemblers reverse binaries into assembler language.
Debuggers allow you to view and change the state of a running program.
Hex Editors allow you to view and edit the source code of a binary.

Another set of things to know is the different kinds of programming languages. Here they are—from low to high levels of abstraction from the CPU.

Modern languages like Python and Ruby are considered high-level languages, but are functionally a level above.

Machine Code is the 1’s and 0’s executed by a CPU.
Assembler is the next level up, and is the first human-readable level, but just barely.
High-level—also called Compiled—languages include C and C++, and they’re the first level of functionally readable code.
Interpreted Languages are languages like Perl, PHP, Python, and Ruby, which require an environment to run them, trade readability for speed.
Bytecode Languages are languages like Java and .NET, which are cross-platform like Interpreted languages, but with similar readability and speed to compiled languages.


Summary


To go from binary to assembler, use a disassembler.
To go from binary to higher lanugage, use a decompiler.
To edit a particular part of a binary’s contents, use a hex editor.
To interact with an application as it’s running, use a debugger.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel