Daniel Miessler's Blog, page 91

Don’t call them cameras or microphones anymore. Those are human-centric names, and humans are about to be the Neandertals of detection.

I first heard this idea regarding cameras from Benedict Evans.

What we’re moving towards is a world where sensors are everywhere—and of multiple types:

Visible light
Non-visible light
Radio waves
Sound
Vibration
Chemicals
Radioactivity
Air pressure
Etc, etc.

These sensors will be sold as single units that can be deployed at scale by cities and companies, and they’ll be installed in everyday objects like buildings, street lights, sidewalks, park benches, restaurants, corporate workplaces, walls, ceilings, vehicles, etc.

In the past we would have had giant teams of humans looking at all this data. Well actually, we wouldn’t have been able to deploy them because there aren’t enough people to look at the data. But now we can—because of algorithms.

The combination of sensors and algorithms is about to become the most important tool for corporate and civic management.

Algorithms watch 24/7. They never get tired. They can update automatically across the entire world that’s using them. They can constantly improve based on new data. And they will be able to combine information from multiple sensor types into insights that we could never produce as humans.

Here are some examples of the types of things we’ll be able to do:

Measure the pharemones and body language in a room to estimate the chance of a fight breaking out.
Scan the way people are walking to determine if they’re likely carrying weapons.
Watch facial expressions and listen to voices to determine the current emotional state of various people.
Watch people’s body language, combined with body scans, combined with facial recognition, combined with their entire background, to determine their threat level in public places.
Scan everything about a public area to determine its current danger level, who the most dangerous people are, who should be controlled first if authorities arrived, where the best vantage points are for police, etc.

These probably seem scary to you, but they’re coming. My role is to make you aware, not to tell you it’ll all be ok.

And there will be positive, consumer-focused versions of these things too—like finding the best place to propose, the best place to go for a hike based on visibility and temperature and foot traffic.

The possibilities for companies’ efficiency, for city management, for optimizing consumer experiences—are nearly endless.

Everything starts with data, and that’s what these sensors will provide. They’ll tell us the current state of the world at any given moment—with more sensors in more places (and better capabilities and sensitivity) giving us even more data freshness and resolution.

That data will be fed constantly into millions of algorithms working continuously to provide various types of value—to different audiences. Some sensors will be publically available, but many will be restricted by a government or corporation for official use.

If you think this will dramatically affect privacy, you’re right.

Privacy in the future will not be about whether someone has your data—it’ll be about whether the right people have it, and are being careful with it.

That your data is out there will be a given.

Anyway, the next time you look at a camera, think about how primitive it is. The idea of a sensor that only takes one kind of input for review by a human. A human that sleeps and defecates and gets bored and distracted.

Sensors of the future are mutli-dimensional and linked directly to algorithms that continuously interpret the inputs.

The interesting thing about this is that the hardware doesn’t need to be upgraded that often. Or, at least for quite some time, most of the upgrades to the sensor and algorithm pairing will come from improvements to the algorithms.

You may think that I’m a bit to bullish on this prolific sensor stuff, and that I’m ignoring the Black Mirror abuse cases that can potentially come from them.

I’m not. I’m not ignoring them.

I see this going both ways—Black Mirror and also a far more advanced Star Trek. And I’m pulling for the latter.

Either way we can’t stop what’s coming.

AI reminds me a lot of the gun debate in that way. We don’t want dangerous people to have it, but if people are solid then it won’t matter if they do.

A healthy and kind society can have these tools (see weapons) and not cause harm, but the moment something goes sideways the opportunity will rise for abuse. And at that point you don’t want the power-hungry teenager to have insights to everyone’s location, personal preferences, etc.

Just get ready. That’s what I’m saying.

Cameras and mics become sensors. Algorithms replace the humans on the other end. And the sensors will be deployed everywhere.

You’re going to be able to look at a city center scene and see unbelievable things using this technology. Millions of algorithms parsing thousands of inputs from multiple perspectives, and then creating analysis and visualizations for human decision-makers (in addition to the automated choices that will be done without any intervention at all).

It’s coming. Get ready.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

Don’t call them cameras or microphones anymore. Those are human-centric names, and humans are about to be the Neandertals of detection.

I first heard this idea regarding cameras from Benedict Evans.

What we’re moving towards is a world where sensors are everywhere—and of multiple types:

Visible light
Non-visible light
Radio waves
Sound
Vibration
Chemicals
Radioactivity
Air pressure
Etc, etc.

These sensors will be sold as single units that can be deployed at scale by cities and companies, and they’ll be installed in everyday objects like buildings, street lights, sidewalks, park benches, restaurants, corporate workplaces, walls, ceilings, vehicles, etc.

In the past we would have had giant teams of humans looking at all this data. Well actually, we wouldn’t have been able to deploy them because there aren’t enough people to look at the data. But now we can—because of algorithms.

The combination of sensors and algorithms is about to become the most important tool for corporate and civic management.

Algorithms watch 24/7. They never get tired. They can update automatically across the entire world that’s using them. They can constantly improve based on new data. And they will be able to combine information from multiple sensor types into insights that we could never produce as humans.

Here are some examples of the types of things we’ll be able to do:

Measure the pharemones and body language in a room to estimate the chance of a fight breaking out.
Scan the way people are walking to determine if they’re likely carrying weapons.
Watch facial expressions and listen to voices to determine the current emotional state of various people.
Watch people’s body language, combined with body scans, combined with facial recognition, combined with their entire background, to determine their threat level in public places.
Scan everything about a public area to determine its current danger level, who the most dangerous people are, who should be controlled first if authorities arrived, where the best vantage points are for police, etc.

These probably seem scary to you, but they’re coming. My role is to make you aware, not to tell you it’ll all be ok.

And there will be positive, consumer-focused versions of these things too—like finding the best place to propose, the best place to go for a hike based on visibility and temperature and foot traffic.

The possibilities for companies’ efficiency, for city management, for optimizing consumer experiences—are nearly endless.

Everything starts with data, and that’s what these sensors will provide. They’ll tell us the current state of the world at any given moment—with more sensors in more places (and better capabilities and sensitivity) giving us even more data freshness and resolution.

That data will be fed constantly into millions of algorithms working continuously to provide various types of value—to different audiences. Some sensors will be publically available, but many will be restricted by a government or corporation for official use.

If you think this will dramatically affect privacy, you’re right.

Privacy in the future will not be about whether someone has your data—it’ll be about whether the right people have it, and are being careful with it.

That your data is out there will be a given.

Anyway, the next time you look at a camera, think about how primitive it is. The idea of a sensor that only takes one kind of input for review by a human. A human that sleeps and defecates and gets bored and distracted.

Sensors of the future are mutli-dimensional and linked directly to algorithms that continuously interpret the inputs.

The interesting thing about this is that the hardware doesn’t need to be upgraded that often. Or, at least for quite some time, most of the upgrades to the sensor and algorithm pairing will come from improvements to the algorithms.

You may think that I’m a bit to bullish on this prolific sensor stuff, and that I’m ignoring the Black Mirror abuse cases that can potentially come from them.

I’m not. I’m not ignoring them.

I see this going both ways—Black Mirror and also a far more advanced Star Trek. And I’m pulling for the latter.

Either way we can’t stop what’s coming.

AI reminds me a lot of the gun debate in that way. We don’t want dangerous people to have it, but if people are solid then it won’t matter if they do.

A healthy and kind society can have these tools (see weapons) and not cause harm, but the moment something goes sideways the opportunity will rise for abuse. And at that point you don’t want the power-hungry teenager to have insights to everyone’s location, personal preferences, etc.

Just get ready. That’s what I’m saying.

Cameras and mics become sensors. Algorithms replace the humans on the other end. And the sensors will be deployed everywhere.

You’re going to be able to look at a city center scene and see unbelievable things using this technology. Millions of algorithms parsing thousands of inputs from multiple perspectives, and then creating analysis and visualizations for human decision-makers (in addition to the automated choices that will be done without any intervention at all).

It’s coming. Get ready.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

One of the most frustrating things to me as a security person is having sales and marketing types confuse the different types of security assessment.

Similarities

First, let’s start with similarities.

They’re both types of security assessment, meaning their goal is to improve the security of an organization.
They’re also both based on behaving—to some degree—like an attacker.
They’re both focused on results rather than coverage—so they aren’t designed to tell you everything wrong with a company, but rather to show you the specific issue(s) they uncovered.
They both should be used by higher maturity customers, i.e., customers that have already gone through multiple rounds of vulnerability assessment and patching.


Differences

Sales and marketing types love to mix these two together based on whichever one gets more reaction from the customer.

As you can see, Red Team engagements and Penetration Tests have a lot in common, but they are also quite distinct from each other as well.

Penetration Test: A time-boxed technical assessment designed to achieve a specific goal, e.g., to steal customer data, to gain domain administrator, or to modify sensitive salary information.

Red Team Engagement: A long-term or continuous campaign-based assessment that emulates the target’s real-world adversaries to improve the quality of the corporate information security defenses, which—if one exists—would be the company’s blue team.

The origin comes from the military, where an independent group that challenges an organization to improve its effectiveness.

Discussion

Penetration Tests are short-term challenges to one’s security posture, and ideally should be done when you think you have your stuff together and you want someone to validate that assumption. They can be network-based, use physical attacks, social engineering, phishing, be application-focused—or all of the above.

Today the term is quite diluted, with Penetration Testing meaning something different to almost everyone. And there are thousands of companies that will sell you one. The problem is you have no way of knowing if you’ll get a Nessus scan or a custom, high-quality manual assessment.

Somewhere around 2017 the Red Team became the assessment de jour for much of the industry. The problem is that only a tiny percentage of security services companies can actually execute them.

The main distinctions between Penetration Test and Red Team are:

Duration: Red Team engagements should be campaigns that last weeks, months, or years. The blue team and the target’s users should always be in a state of uncertainty regarding whether a given strange behavior is the result of the Red Team or an actual adversary. You don’t get that with a one or two week assessment.
Multi-domain: While Penetration Tests can cross into multiple domains, e.g., physical, social, network, app, etc.—a good Red Team almost always does.
Adversary Emulation: The item that separates a random Penetration Test from a Real Red Team engagement is that Penetration Tests generally involve throwing common tools and techniques at a target, whereas a Red Team should be hitting the organization with attacks that are very similar to what they expect to see from their adversaries. That includes constant innovation in terms of tools, techniques, and procedures, which is in strong contrast to firing up Nessus and Metasploit and throwing the kitchen sink.


Exploitation

In general, Penetration Tests and Red Team engagements are more likely than Vulnerability Assessments to use exploitation, or proofs of concept, to show that vulnerabilities actually exist. But it’s important to understand that exploitation is not necessary if the evidence is obvious enough to the receiver of the report.

Summary

You can ask for a Pentest or Red Team as a low-maturity customer, but you’ll just be wasting money.

Both Pentests and Red Team engagements are based on acting like an attacker, they’re focused on results rather than coverage, and should only be requested by high-maturity customers.
Penetration Tests are usually very short engagements of one to two weeks, whereas Red Team engagements should be campaign-based, long-term, and/or effectively continuous.
Red Team engagements are usually cross-domain, where only some Penetration Tests have that quality.
Red Team engagements should constantly create new tools and techniques to emulate their adversaries, while Pentest groups usually use off-the-shelf frameworks and standard pentester tactics.

This should help you tell these two assessments apart, and if you want to know when to use which kind of assessment, you can read my guide:

When to Use Vulnerability Assessments, Pentesting, Red Teams, and Bug Bounties

Notes


The only real reason to do a Penetration Test in a low-maturity company is to bring skeptical decision-makers to religion by showing them that yes—they really should be listening to their security person.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

Medium has quietly been making a series of changes that are all bad news for writers who still publish articles on their platform.

I discovered the most recent—and most significant—change when I emailed the Medium support a few days ago asking to update the canonical links of the e-Residency article that I had just re-written and updated on nomadgate.com.

It’s no longer possible to change canonical links of articles.

Source: Posting Evergreen Content on Medium is a Terrible Idea | Behind the Scenes of Nomad Gate

I wrote a while back about how Medium isn’t a great option for blogging. The basic idea is that it looks out for itself, not for you.

Well, this new move on their part makes that even more pronounced. You used to be able to canonically link to your own site when you post to Medium. But now they’re killing that off. They had a plugin that could do it, but they’ve stopped maintaining it.

This reinforces my recommendation regarding writing online:

Keep everything on your own site as much as possible.
Use very few third-party services, and ideally none. This means anything that involves third-party domains that you don’t control fully.
Your domain is everything. It’s your center of truth going forward for decades. Protect that source of truth.

So whether it’s Facebook, Medium, Tumblr—whatever—stop that, and get on your own domain.

Really.

Your domain is your home, and anything you do away from there will end up hurting you when it either 1) goes away, or 2) changes management and starts doing things you don’t like and cannot accept.

Do.
As much as possible.
On your own domain.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I’m not sure where all I am getting this from, but I know it’s multiple angles. I just got done watching a documentary on Mr. Rogers, and something struck me about his background: he grew up with a rich and successful family.

Bertrand Russell then came to mind. He was from a rich family as well, and he was able to spend his life becoming educated, and being curious. And what he gave the world was unbelievable.

These are anecdotes, of course, not data. But there’s more. This research here showed that it wasn’t just good grades or intelligence that made inventors—it’s mostly people who come from rich families.

And there’s another body of research that shows that trauma in early life leads to massive issues when you’re older, including things like dramatically shorter lifespans, mental health issues, etc.

To me these anecdotes and studies combine to reveal a simple truth—or a potential truth anyway—which is that creativity and innovation are luxuries just as much as nice cars, private educations, and summer homes.

Photo by Sharon Pittaway

We like to see creativity and a good work ethic as something that’s part of your soul. Something that comes with you as you exit the womb. And that’s fine. But if you’re going to reward that then you should also reward people who are tall and beautiful, which we instinctively know didn’t come from hard work.

And to the extent that creativity can be enhanced and cultivated through a stable, loving life, we owe it to every human to let them have that opportunity. Not a guaranteed outcome. Not an art exhibition for everyone. No, only the good ones.

But we have to give everyone a chance to be good, and that means not stunting them in early childhood.

The rich have many advantages, and it’s time for us to start seeing the freedom that allows one to be curious and creative as one of them.

Notes


It’s also possible to grow complacency and mediocrity in a life of leisure, and it’s similarly possible to create fighters from adversity, who then go on to achieve. But I think generally that you want to instill a hard work ethic at the same time that you’re providing love, stability, and intellectual stimulation.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

Brian Krebs ran a story recently about how FICO has a new service for rating the Cybersecurity risk level of various companies. Problem is, in one of their marketing communications about the new offering, they leaked the actual report data for a little company called ExxonMobil.

I find this space both strange and fascinating.

On one hand I like the idea of people looking out for each other by evaluating how risky companies are and then sharing that knowledge with others. This type of thing is basically necessary given how many entities a given company has to do business with. It’s virtually impossible to do risk assessments on all of them yourself. So that’d be nice if there was good data out there, being shared for the benefit of everyone.

Unfortunately, I’ve seen a number of these companies and their reports over the years, and the product seldom matches the packaging. Here are a few of the problems I’ve seen.

You have to pay to get access to the data that’s supposedly for the greater good. I’m obviously pro-business, and pro-innovation, and pro-all-those-things-you-like. But if I had to pay a micropayment to read an FDA label I’d be pretty pissed. And that’s where we’re getting with supply chain security and complex products (all of them) today. If something is made out of 100 different components, how do you trust the final branded version?
It’s really hard to keep data updated on companies, so these risk scores are often wildly inaccurate. Heck, most companies can’t even keep their own asset data up to date, and they have full access to the data. So the idea that a private company is going to do it well is a pretty hard sell. It’s possible, of course, but I’ve not seen it from any of the players so far. Continuous asset management is hard.
It’s also not trivial to get your own data updated in these systems. So let’s say your sales team calls you up and invents some new cuss words because your WIZBANG score is too low, you might look at the data and see that it’s really bad. Not your domains. Not your IPs. Not your systems. Strange risk calculations. The ports were faked, not really open. Whatever. The processes that I’ve seen so far for getting that data updated, with each side exchanging contradictory evidence isn’t great. And in the meantime, you could be losing market share, deals, and reputation.

What I see from all this is a lot of externalities, which are basically unintended consequences of a well-meaning policy or action. Like, at what point are you liable for damage that results from your ratings? What if you lose business because of an incorrect and low rating? Or what if a low rating puts you on the radar of attackers, and results in a breach that wouldn’t have happened otherwise?

I think once you start making claims about the security of thousands of very important entities, in any way that’s meant to be consumed by others, you take on a huge amount of responsibility.

I’m not willing to damn the entire space, though. The work needs to be done, and this space in the industry seems to be the only one that’s managing a thrust. It reminds me a lot of the conference scene, actually.

Everyone wants more conference speakers, but they also want fewer vendors trying to sell their wares. Yet most of the talks submitted are by people working at companies—many of which are at the conference paid for by a sales or marketing budget. It’s kind of gross, but the alternative seems to be having conferences with no speakers.

Summary


If you’re a company, go to all these services (FICO, Security Scorecard, Bitsight, etc.) and find out what you’ve been rated at. If you see anything inaccurate, work with them to fix it.
If you’re a vendor who’s considering not doing business with a company because they have a low score on one of these services, look at the specific markers and contact someone at the company directly. You might find that the score is inaccurate enough that you’re more comfortable moving forward.
If you’re a vendor in this space, do your absolute best to balance the public good with the need to make money as a business. And consider adding an accuracy and freshness rating to the data you have on your portfolio companies.

No need to run away, but proceed with caution.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

To me the main feature is that they’re the beginning of config-file-based infrastructure.

Imagine a language that can translate a business requirement into a full tech stack.

That’s where we’re heading.

— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) December 15, 2018

I saw this tweet by Dan Kaminski recently, and gave a quick response as one does on Twitter. But I think the thougt is worth a bit more time.

Dan’s defense of Docker resonated with me because I see it as the start of something big. I did a Kubernetes class a while back and it fundamentally altered how I look at information technology.

What it taught me is to not see servers, and apps, and systems as hardware, or software—but rather as text files. Their configs. Infrastructure configs.

That’s insane to me.

While I was in the class I kept talking about how I love my Linux servers, and my Linux distributions, and customizing my system, tweaking, polishing, etc. The command-line for my servers are homes for me. They’re friends.

At one point I SSH’d into a particular lab system during the class, and the guy teaching it was like:

What are you doing?

I told him I wanted to optimize something, and he’s like:

You should never have to touch these boxes. If there’s something wrong, change the config and redeploy.

You’re basically saying, “Here’s the exact environment I want to be up and perfect at all times, and bring things up and down as necessary to make sure it stays that way.” That’s godlike.

I feel like the levels of ephemerality go something like:

Iron
Virtual machine
Container
Function

Anyway, what interests me about this is that the last two are designed to be programmatically created, maintained, and destroyed. To me that mixes perfectly with something that’s ripe for text-file-ification—the creation of business requirements.

So imagine a world where both business requirements and IT infrastructure were able to be communicated using standard syntax.

I need a highly-redundant website that can be updated often by the marketing department, with localization enabled for the U.S., China, and Korea. We expect around 10,000 users a day, but could burst to up to half a million.

It’s a long way away still, but this will become a config. Let’s call it BRL, for Business Requirement Language.

Then you have another language that describes IT infrastructure, called Infrastructure Description Language (IDL). And tools will exist to read BRL and create an implementation on any cloud infrastructure, since they’ll all speak BRL and IDL.

Of course this doesn’t build your entire application, since that requires proprietary code, content, and or data, but all those will have their own hooks and handles as well.

The next natural step is to be able to have your Digital Assistant help you do the whole thing. So, dictation–>BRL–>IDL.

From there, it’ll be another step to desploy your specific application and data to the infrastructure, which I think will get its own optimization. Perhaps a middle layer that understands both infrastructure and, data, platforms, stacks, etc, which can naturally match those up and turn them into a deployment script.

That’s further away for sure, but I don’t think the business requirements and infrastructure description piece is all that distant—at least not for simple deployments.

This is the way we should be thinking about IT—as an unimportant, text-file-based abstraction layer. You just feed it requirements, like how many users, the type of apps it needs to support, how secure you need it to be, how reliable, etc.—and everything gets created for you.

There is an actual stopping point for all this, in a theoretical sense, which is a world where you articulate an idea and it’s brought into being. So, you describe how the app would look, how it would make people feel, the colors you’d like to use, etc.—and it would build it all for you.

Intermediate steps will see various Mechanical Turk Style people working in the background to make that happen “automatically”, but over time this will all get automated.

Anyway, that’s multiple decades away—if we ever get there.

But this translation between business need and infrastructure is something we should start looking to come over the horizon soon.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

Start Membership

Thank you,

Daniel

My friends and I have always had a fun game we play, where we imagine what we’d do if we were thrust backward in time.

So you’re like dropped in Rome at 1 BC, or Britain in 1300. What would you do?

We’re ignoring language, but that’s important too of course.

You know all these technologies are possible, but do you know how to tell anyone? So I’m making this post to keep my skills up—just in case.

Here’s a list of things I think we would want to be able to explain and/or build.

Printing Press
Germ Theory
Heliocentrism
Gunpowder
Anti-biotics
Maxwell’s Equations
Laws of Thermodynamics
Newton’s Laws of Motion
Relativity
Steam Engine
Combustion Engine

What am I missing?

I’m going to keep updating this post. I’m going to answer each one in as simple terms as possible.

—

I spend between 5 and 20 hours creating this content every week. If you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel