In a nondescript building near Moffett Field, still undistracted by any VC funding, an 80-person company named Made In Space is building tools for the next generation of satellites and space exploration, including most remarkably, the first self-manufacturing satellite, due for launch in three years’ time.

Building in space rather than on the ground, courtesy of 3D printers and automated assembly, comes with many advantages. You can save volume by sending dense feedstock for 3D printers rather than capacious constructed objects. More importantly, if you don’t have to build to survive the traumatic forces of launch, you can use more fragile designs, and hence less mass.

Made in Space’s 3D printers have already done several tours of duty on the International Space Station, “Five years ago, manufacturing in space was a dream,” says Andrew Rush, co-founder and CEO. “Now there are months we’re manufacturing so much stuff in orbit it seems almost pedestrian.”

“We have manufacturing, we have printing, now let’s get assembly, let’s get robotic operations,” concurs Jim Bridenstine, as behind him a robot arm loops wires onto a full-size 3D-printed reflector disk, in a headquarters decorated with classic Star Trek posters and the world’s largest 3D-printed object. (A 37.7-meter long tube of aerospace polymer. They stopped there because they ran out of hallway.) That breakthrough launch, targeted for 2022, is called Archinaut One.

It’s not that the entire satellite will be constructed in orbit from bricks of polymer and wire, obviously. But Archinaut One, for which NASA has awarded Made in Space $73.7 million, will manufacture two ten-meter-long wings of solar arrays rather than unfold the customary smaller panels, generating “as much as five times more power than traditional solar panels on spacecraft of similar size.”

The potential commercial applications are numerous. Most obviously, Internet-via-satellite solutions require bandwidth, and, basically, power equals bandwidth. Bridenstine, who extols how this work was done by a small business rather than by NASA proper, clearly prefers NASA as a customer of the private space sector, or better yet “one of many customers,” rather than owning / building new technologies itself. Archinaut One is in turn something of a prototype for eventual robotic construction of the controversial Lunar Gateway.

But whether you’re convinced by the Gateway architecture serious skeptic, Made in Space’s technology is genuinely exciting, and impressively multifaceted. They intend to recycle waste polymer on the ISS. They plan to manufacture optical fiber in space which would “greatly outperform” standard fibers. They do sheet-metal extrusion and are interested in 3D printing metals as well as polymers in space.

Most interesting of all is their approach to converting lunar and other regolith into 3D-printing feedstock and using it that to construct extremely strong, and airtight, structures. It turns out that 70% moondust can be mixed with 30% polymer nodules into a mix that can be heated into 3D feedstock for a remarkable one-thirtieth the energy cost of sintering. Their ridiculously awesome, ridiculously ambitious long-term plan to construct spacecraft from asteroids is called “Project RAMA,” presumably a nod to the Clarke novel.

That sounds a lot like the proverbial pie in the sky, but given their accomplishments to date, Made in Space has earned the right to be taken seriously. The company’s four co-founders met in Singularity University, talked NASA into giving them a dusty disused basement room as their initial office, and, despite being just a few miles from Sand Hill Road, have since grown to their current size without taking any dilutive funding — no less an achievement than their science and engineering feats to date.

Cryptocurrencies are a religion as much as they are a technology. They almost have to be, given their adherents’ gargantuan ambition of fundamentally changing how the world works. This means they attract charlatans, lunatics, frauds, and false prophets, and furious battles are waged over doctrinal hairspliitting; but it also means they inspire intransigent beliefs which can, and do, unify many thousands of wildly different people across continents and time zones.

This occurred to me while I was rereading Gibbon’s Decline and Fall, as one does, and in particular its depictions of the early days of the Christian faith:

But whatever difference of opinion might subsist between the Orthodox [church], the Ebionites, and the Gnostics, concerning the divinity or the obligation of the Mosaic law, they were all equally animated by the same exclusive zeal; and by the same abhorrence for idolatry ..,. the established religions of Paganism were seen by the primitive Christians in a much more odious and formidable light. It was the universal sentiment both of the church and of heretics, that the daemons were the authors, the patrons, and the objects of idolatry.

For Orthodox church, Ebionites, and Gnostics, you can read perhaps, “Bitcoin maximalists”, “Blockchain not bitcoin,” and “Ethereum maximalists.” They disagree bitterly, but one view they all share is a disdain verging and frequently exceeding contempt for fiat currencies, untokenized assets, and most other aspects of money and finance as they are currently constructed. Instead they share a deep belief in the superiority, and inevitable supremacy, very different world.

The superstitious observances of public or private rites were carelessly practised, from education and habit, by the followers of the established religion. But as often as they occurred, they afforded the Christians an opportunity of declaring and confirming their zealous opposition. By these frequent protestations their attachment to the faith was continually fortified; and in proportion to the increase of zeal, they combated with the more ardor and success in the holy war, which they had undertaken against the empire of the demons.

I think few will disagree that, similarly, many cryptocurrency devotees seek out and seize every “opportunity of declaring and confirming their zealous opposition” to government money, central banks, rival maximalists, and other features of the monetary, financial, and/or centralized status quo.

The careless Polytheist, assailed by new and unexpected terrors, against which neither his priests nor his philosophers could afford him any certain protection, was very frequently terrified and subdued by the menace of eternal tortures. His fears might assist the progress of his faith and reason; and if he could once persuade himself to suspect that the Christian religion might possibly be true, it became an easy task to convince him that it was the safest and most prudent party that he could possibly embrace.

Similarly I don’t think it’s controversial to note that prophecies of the hyperinflation and collapse of national currencies, the downfall of central banks and fractional reserve banking in general, etc., are not unheard of among some of the … edgier … cryptocurrency people. One might even refer to the notion of “preaching the gospel” of deflationary, censorship-resistant cryptocurrency, sometimes in the hopes of scaring everyone who hears this doomsaying into buying some Bitcoin as a hedge.

Of course the religious parallels do not end with Gibbon. Cryptocurrencies were given to us not by a known, living, breathing, flawed human being, but by a pseudonymous verging-on-mythical quasi-demigod. (Cf eg “Satoshi’s Vision.”) Mythically speaking, that’s easily analogized to Prometheus granting humanity fire, or Moses bringing the stone tablets down from Mount Sinai. They have real and false prophets. There’s even a “Bitcoin Jesus.” And all promise a better world tomorrow, while demanding sacrifices and inconveniences today.

My tongue is obviously in cheek here — but I’m not entirely unserious. Of course all money is ultimately backed by faith (cf “full faith and credit.”) But this is I think unquestionably more true of cryptocurrencies, especially because, a decade on from their creation, they have failed — so far! — to transform the world to a degree anything like their proclaimed potential.

Bitcoin itself is apparently going from strength to strength, as can be seen in its increasing dominance of total cryptocurrency market capitalization, but it’s still beyond tiny compared to the rest of the financial world. Its total trading volume as I write this is roughly ~$15 billion per day, which admittedly sounds like a lot, but compared to the $5.1 trillion a day for the forex market as a whole, it’s roughly one-quarter of one percent.

More importantly, Bitcoin continues to technically iterate (although I’ve grown skeptical about Lightning, which it seems to me will always suffer from all the end-user inconveniences of prepaid credit cards, with few balancing advantages) and has hovered near or above $10,000 in value for months now. But the uncertainties and investigations regarding Tether remain a threatening cloud on its horizon.

As for other cryptocurrencies, though — well, these are complex times.

Ethereum, the best-known and perhaps most interesting, has gone from a wave of DAO excitement shortly after its launch, which faltered, to a wave of ICO madness and “fat protocol” DApps (decentralized applications), which also faltered, to the latest wave and watchword, “DeFi” aka decentralized finance. This essentially aims to reinvent all of Wall Street and the City of London on the blockchain(s), in the long term.

Meanwhile, the technical underpinnings that would allow Ethereum to scale to Wall Street size, known as “Ethereum 2.0,” remain more notional than real. I’m a big fan of Ethereum (my own pet crypto project is built on it) and I don’t think DeFi is doomed to failure … but under the circumstances I can understand skepticism creeping in among those who are not true believers.

There are plenty of other technically interesting cryptocurrency initiatives: from privacy coins such as ZCash, Monero, and Grin, to the use of Tezos by Brazil’s fifth largest bank for security tokens (again, DeFi), to the growth and stabilization of Cosmos’s “internet of blockchains,” to Blockstack’s total-app-installs graph beginning to look a little more exponential than linear, albeit with still-tiny y-axis numbers.

However, I think it’s also fair to say that now that cryptocurrencies are no longer new, unknown, and fascinating, interest among both individuals and enterprises who are not true believers has waned considerably. The cultural whiplash one experiences when transitioning from a conference full of people convinced they are building a new technology that will transform the fundamental order of the world, to outsiders (even technical outsiders) remarking “oh, is that still a thing?” is increasingly sharp.

That was probably true of the Christians after they ceased to be new and interesting, though, and in the end the Christians conquered the most powerful empire in the world from within. I am definitely not prophesying the same outcome here. I continue to think cryptocurrencies will remain a financial alternative, albeit a very significant and important one, used only by a few percent of people.

But I am saying that seeming increasingly distant from the external consensus reality, being driven by intransigent and sometimes bewildering faith as much as rational analysis, and ongoing associations with a cloud of crazy scandal and hangers-on snake-oil salespeople — all of which would be catastrophic signs for, say, a traditional new startup — can actually be indicators of the strength, not weakness, of a strange new religion. Something to bear in mind as we move into the second decade of cryptocurrencies.

This week the New York Times published a five-years-later retrospective on Gamergate and its aftereffects, which is chilling and illuminating, and you should go read it. It makes an excellent case — several excellent written cases, actually — that “everything is Gamergate,” that it and its hate-screeching online mobs were the prototype for all the culture and media wars since and to come.

Sadly, the lesson expounded herein by the NYT is one which they — and other media — do not yet seem to have actually learned themselves.

Let’s look at another piece which called Gamergate a template for cultural warfare, using the media as a battleground. This one was written back in 2014, by one Kyle Walker, in Deadspin, and its scathing, take-no-prisoners real-time analysis was downright prophetic. A few of its most important passages:

Gamergate is […] a relatively small and very loud group of video game enthusiasts who claim that their goal is to audit ethics in the gaming-industrial complex and who are instead defined by the campaigns of criminal harassment that some of them have carried out against several women […] What’s made it effective, though, is that it’s exploited the same basic loophole in the system that generations of social reactionaries have: the press’s genuine and deep-seated belief that you gotta hear both sides … that anyone more respectable than, say, an avowed neo-Nazi is operating in something like good faith

It is now clear to us all that that last statement is no longer correct … in that it is far too optimistic. Two years ago, the NYT made it apparent that they are in fact willing to assume “an avowed neo-Nazi is operating in something like good faith,” when they published a piece about “the Nazi sympathizer next door,” one variously called “chummy” (Quartz), “sympathetic” (Business Insider), and “normalizing” (NYT readers themselves, among many others.)

Back to Wagner in Deadspin:

The demands for journalistic integrity coming from Gamergate have nothing at all to do with the systemic corruption of the gaming media … The claims from what we like to call the “bias journalisms” school of media criticism aren’t meant to express anything in particular, or even, perhaps, to be taken seriously; they’re meant to work the referees, to get them looking over their shoulders, to soften them up in the hopes that a particular grievance, whatever its merits, might get a better hearing next time around.

How does it play out? Like this: Earlier this month, the New York Times covered Intel’s capitulation in the face of a coordinated Gamergate campaign, called “Operation Disrespectful Nod.”

Here’s that NYT piece from five years ago. It, in turn, begins:

For a little more than a month, a firestorm over sexism and journalistic ethics has roiled the video game community, culminating in an orchestrated campaign to pressure companies into pulling their advertisements from game sites.

That campaign won a big victory in recent days with a decision by Intel, the chip maker, to pull ads from Gamasutra, a site for game developers.

Intel’s decision added to a controversy that has focused attention on the treatment of women in the games business and the power of online mobs. The debate intensified in August, partly because of the online posts of a spurned ex-boyfriend of a female game developer.

Wagner’s inescapable conclusion:

The story continued in this vein—cautious, assiduously neutral, lobotomized […] Both sides were heard. And thus did Leigh Alexander’s commentary on the pluralism of gaming today get equal time with a campaign bent on silencing her. …Make it a story about an oppressive and hypocritical media conspiracy, and all of a sudden you have a cause, a side in a “debate.”

Gamergate, like so many bad-faith movements since, followed a variant of the “motte and bailey” strategy, which is

when you make a bold, controversial statement. Then when somebody challenges you, you claim you were just making an obvious, uncontroversial statement, so you are clearly right and they are silly for challenging you. Then when the argument is over you go back to making the bold, controversial statement.

Here, the motte is an ugly or vile cause — in Gamergate’s case, vicious misogyny — and the bailey is an entirely different purported argument — for Gamergate, “it’s about ethics in games journalism.” They work the latter argument for credibility, but entirely in bad faith, because it is tacitly understood, both internally and externally, albeit in a quasi-deniable way, that what they actually care about is their ugly cause.

This has become the playbook for so many modern disputes, because it continues to be a thoroughly effective way to manipulate the mainstream media. Arguments about purported “grievance politics,” or “the decline of America sanctioned by the elites,” or a manufactured, fictional “immigration crisis,” all continue to be treated by the media as legitimate grievances, and/or good-faith disputes, rather than a thin pretext for bald-faced racism and xenophobia.

Every so often the motte is accidentally revealed, as when the head of the USCIS said, just this week, that the famous poem which adorns the Statue of Liberty referred to “people coming from Europe.” But in general the pretense of the bailey is upheld.

Let me reiterate: the pretense. These are arguments knowingly made in bad faith. What’s more, the actual cause soon becomes apparent to those who investigate the subject with open and searching minds. Good journalists should not be willing accept such distorted pretenses at face value, nor assume good faith without evidence. The NYT clearly made that mistake, fell into that trap, with Gamergate five years ago. As Wagner put it then,

What we have in Gamergate is a glimpse of how these skirmishes will unfold in the future—all the rhetorical weaponry and siegecraft of an internet comment section brought to bear on our culture, not just at the fringes but at the center.

How right he was. And yet it is all too apparent that, in the heart and at the heights of the New York Times, nothing of significance has been learned. How else to explain how, five years after Gamergate, and two years after “readers accuse(d) us of normalizing a Nazi sympathizer,” the NYT continues to treat exactly the same kind of bad-faith arguments as if they are meaningful, important, and valid? Most visibly with its most recent headline debacle, but that is only the tip of the wilfuly ignorant iceberg.

In the aftermath of that headline incident, Dean Baquet, its executive editor, told CNN a remarkable thing: “Our role is not to be the leader of the resistance.” In other words, the publisher of this excellent recent Gamergate exegesis has learned nothing from it.

The NYT’s role should be to lead a resistance — not necessarily against any individual political party or figure, but a resistance of critical thinking, and searching analysis, against deceptive motte-and-bailey arguments. But they don’t seem willing to recognize that they are being manipulated by such bad-faith movements, much less accept that one of them has grown to occupy much of America’s political landscape. One wonders when the Gray Lady will finally open her eyes.

One of the scarier notions in the world today is the prospect of American voting machines being compromised at scale: voters thrown off rolls, votes disregarded, vote tallies edited, entire elections hacked.

That’s why the nation’s lawmakers and civil servants flocked (relatively speaking) to Def Con in Las Vegas this week, where hackers at its Voting Village do their best to prove the potential vulnerabilities — including, in some cases, remote command and control — of voting systems.

There are several ways to help secure voting. One, thankfully, is already in place; the decentralization of systems such that every state and county maintains its own, providing a bewildering panoply of varying targets, rather than a single tantalizing point of failure. A second, as security guru Bruce Schneier points out, is to eschew electronic voting machines altogether and stick with good old-fashioned paper ballots.

But paper ballots don’t help much if you use machines to tabulate them, and those machines are compromised — so it’s especially worrying if those are, in engineering parlance, black boxes, i.e. machines which provide visibility only of their inputs and their outputs, not their inner workings.

A solution to this black-box problem is to either tabulate by hand, or instantiate a separate audit process after each election. That means independently sampling and hand-counting a small fraction of the votes, ensuring that the audit result is statistically in line with the overall tally — and if it isn’t, increasing the sample size, up to and including a full recount.

The election threat model is broader than you might think. Researchers can, for instance, transform ballot images so that votes move imperceptibly. Which is one of many reasons why paper ballots are so critical. I have some good news there: as Politico’s excellent voting machine interactive shows, most US states have and/or are moving to paper ballots (and most of the remainder were/are going to mostly vote for the party apparently opposed to democracy anyway.)

The audit situation, though, is … more complicated. Only 25 states require any audits of federal elections, for instance, and only some of those audits have teeth. Witness Verified Voting’s superb interactive explainers of post election audits and state audit laws.

I don’t want to minimize the significance of secure voting machines and the Voting Village hackers’ work. It’s as important as everyone says. But as any security expert will tell you, defense in depth is often even more important than the strength of any individual layer.

Secure machines, which generate individual paper ballots, to be hand-tabulated and/or audited — that’s the kind of defense in depth we want, and personally I’m a little concerned that the final moat, the audit, doesn’t get the attention it deserves. To quote, of all people, a Republican president: “Trust, but verify.”

Every year the great and good (and bad) of the hacker/information-security world descend on Las Vegas for a week of conferences, in which many present their latest discoveries, and every year I try to itemize the most interesting (according to me) Black Hat talks for TechCrunch. Do not assume I attended all or even most of these. There are far too many for anyone to attend. But hopefully they’ll give you a sense of the state of the art.

First, though, let me just note that this post title is intended as sardonic. Yes, there is a lot of sloppy software out there, and yes, a lot of smart people keep finding holes, bugs, exploits, and design flaws even in good software, but we are not actually all doomed, and the belief that we are, and that anything connected to the Internet can be and probably has been hacked — an attitude which I like to call “security nihilism” — is spectacularly counterproductive.

In truth there is a lot of extremely good security out there, especially amid the big tech companies, and it keeps getting better, as the market for 0-days (previously undiscovered exploits) indicates. Most (though certainly not all) of the exploits below have already been reported and fixed, and patches have been rolled out. That said, much of the world has a lot of work to do to catch up with, say, Apple and Google’s security teams. Without further ado, the best-sounding talks of 2019:

Liveness Detection Hacking, from Tencent’s Xuanwu Security Lab, discusses how to trick “liveness” detectors for face or voice ID (or, perhaps, cryptocurrency KYC) by injecting fake video or audio streams, or, better yet, ordinary glasses with ordinary tape attached, which, best of all, they have named X-glasses.

All the 4G Modules Could Be Hacked, from Baidu’s Security Lab, recounts the researchers’ investigation of 4G modules for IoT devices — the components which connect machines to the Internet via cell networks, basically. As their summary memorably puts it, “We carried out this initiative and tested all the major brand 4G modules in the market (more than 15 different types). The results show all of them have similar vulnerabilities” and ends with the equally memorable “how to use these vulnerabilities to attack car entertainment systems of various brands and get remote control of cars.” Extra points for the slide with ‘Build Zombie cars (just like Furious 8)’, too.

Arm IDA and Cross Check: Reversing the Boeing 787’s Core Network by Ruben Santamarta of IOActive talks about how, after discovering an accidentally public directory of sensitive Boeing information online(!), Santamarta developed a chain of exploits that could conceivably lead from the Internet to the “Common Data Network” of a 787. Boeing strongly disputes this.

I have considerable respect for Santamarta, whose work I’ve written about before, and as he put it: “Boeing communicated to IOActive that there are certain built-in compiler-level mitigations [author’s note: !!] that, in their point of view, prevent these vulnerabilities from being successfully exploited. IOActive was unable to locate or validate the existence of those mitigations in the CIS/MS firmware version we analyzed. When asked, Boeing declined to answer whether these mitigations might have been added on a later version … We hope that a determined, highly capable third party can safely confirm that these vulnerabilities are not exploitable … We are confident owners and operators of these aircraft would welcome such independent validation and verification.” Indeed. But hey, if you can’t trust Boeing, who can you trust, right?

Reverse Engineering WhatsApp Encryption for Chat Manipulation, from researchers at Check Point Software, described how to abuse WhatsApp group chat to put words into others’ mouths, albeit only in quote texts, and send private messages which look like group-chat messages. (Note however that this is post-decryption, so you have to already be a legitimate member of the chat.)

In Behind the scenes of iOS and Mac Security, Ivan Krstić, Apple’s Head of Security Engineering, publicly spoke about Apple security. That’s remarkable enough right there! In particular, it’s worth noting his exegesis of how Find My works while preserving privacy, and that Apple is going to start to offer rooted iPhones to security researchers.

Simultaneously, an organization almost as devoted to secrecy as Apple revealed more about their security practices too. Kudos! I refer of course to the NSA, who came onstage to discuss their reverse-engineering framework Ghidra, and how it came to be open-sourced.

In Critical Zero Days Remotely Compromise the Most Popular Real-Time OS, researchers from Armis Security explained how VxWorks, a real-time OS you’ve never heard of but which runs on over 2 billion machines including aircraft, medical devices, industrial control systems, and spacecraft, also boasts vulnerabilities in esoteric corners of its TCP/IP stack that could lead to remote code execution. So that’s not good.

Finally, in Exploring the New World : Remote Exploitation of SQLite and Curl, Tencent’s Blade Team (yes, Chinese researchers have been absolutely killing it this year) showed how we actually are all doomed. I kid, I kid. But while you’ve probably never heard of them, SQLite and Curl are two absolutely fundamental software components — an incredibly widely used compact single-file database and a command-line networking tool, respectively — and used an exploit of the former to successfully remote attack Google Home, and the latter to attack curl clients such as PHP/Apache as well as Git. Ouch.

Did you know that Russia’s security services, particularly those related to hacking / information security, have been in the throes of vicious high-stakes infighting for years? Did you know that the perceived Russian doctrine which informed much Western analysis of Russian strategies never actually existed? Did you know that the Kremlin’s secrecy has built an entire cottage industry of largely-unfounded rumors and conspiracy theories based on the few tantalizing details which do leak?

OK, you probably knew that last part. Everyone, or at least everyone who calls a social-media stranger with whom they disagree a “Russian bot,” is a Russian conspiracy theorist nowadays. And of course the evidence of widespread malevolent Russian activity, ranging from assassinations to hacking to social-media bombing, is copious.

But exactly which Russian organizations are doing what, and why — that’s a lot harder to establish. I’m reminded of old Cold War spy novels in which Kremlinologists analyzed the few public appearances of Politburo members, wrongfully reading great significance into who stood where and when, because they had little else to go on. Just like those bad old days, our instinct nowadays is to treat “Russia” as a single, well-oiled, tightly-orchestrated malignant machine.

Of course it’s nothing of the sort. Instead it is a complex, seething, tiered morass of many figures and institutions, often incentivized against one another, in a time of profound and rapid change. Today I attended a Black Hat talk by Kimberley Zenz, who opened with a plea for nuanced consideration of Russia and Russian activities. She’s right, of course, but sadly the Internet tends to be where nuance goes to die.

This nuance, though, is especially fascinating, the stuff of spy thrillers. In 2017 a slew of Russian intelligence officials and hackers — along with, inexplicably, Kaspersky Lab’s Head of Investigations — were suddenly arrested. One was “apparently forcibly removed from a meeting with fellow FSB officers — escorted out with a bag over his head” according to Stratfor. A case was eventually made against them for “high treason in favor of the United States.”

Four individuals were this year sentenced to up to 22 years in prison. (They are appealing.) Andrei Gerasimov, the longtime director of Russia’s Information Security Center, “a shadowy unit … thought to be Russia’s largest inspectorate when it comes to domestic and foreign cyber capabilities, including hacking,” resigned a week after this case emerged.

Stratfor again: ‘Because the charges are treason, the case is considered “classified” by the state, meaning no official explanation or evidence will be released.’ From this fog of secrecy, half a dozen different rumors and theories have emanated. Are the charges entirely trumped-up to eliminate rivals? Did someone leak to the US to attack their rivals, only to see this backfire spectacularly? Did the FSB turn a hacking group which then discovered something they really shouldn’t have about a powerful oligarch? Who can say?

Of course another conspiracy theory is the nuance-free “well-oiled malignant machine” one, in which this case is just an instance of said machine expelling a bit of grit from its innards. It’s remarkable how common this “monolithic Russian single-voiced hive-mind” analysis has become. Here’s Politico, for instance, after the above scandal broke: “Lately, Russia appears to be coming at the United States from all kinds of contradictory angles … Confused? Only if you don’t understand the Gerasimov Doctrine.”

That doctrine — named after General Valery Gerasimov, please note, not repeat not the now-disgraced former-FSB-director Andrei Gerasimov mentioned above — is used there to explain away all Russian activity, even that which appears self-contradictory, as a deliberately bewildering diversity of tactics used to “achieve an environment of permanent unrest and conflict within an enemy state.” It was cited yesterday in another Black Hat talk, which I was so unimpressed by I’ll diplomatically refrain from discussing further. It is consistently cited by Russian policy analysts to this day.

But the problem with the Gerasimov Doctrine as a cornerstone of modern Kremlinology is that — according to the very person who coined the term! — it never actually existed. (Ironically it stems from a conspiracy theory on General Gerasimov’s part: that the CIA instigated the Arab Spring.) Instead, rather than a campaign informed by a unifying doctrine, Russian activity is

largely opportunistic, fragmented, even sometimes contradictory. Some major operations are coordinated, largely through the presidential administration, but most are not. Rather, operations are conceived and generally carried out by a bewildering array of “political entrepreneurs” hoping that their success will win them the Kremlin’s favor

That sounds like an awfully important distinction to make, and it leads to the most interesting thing (to me) about Ms. Zenz’s talk; her mention that “the Russian government considers Russian cybercriminals to be a strategic asset,” and that one side effect of this treason case is that it has greatly chilled information sharing and cooperation between Russia and the West regarding online threats.

Does this strategic status in turn mean that Russian hackers are likely to be government operatives, and/or Russian infosec companies in bed with their government? I am no Kremlinologist, but it seems to me more that the very question is wrong and should be unasked. Rather, the relatively sharp differences between “private sector,” “government,” and “criminal,” defined in nations with a strong rule of law, don’t really exist in a nation like modern Russia where those distinctions can, and often do, blur together.

Security is empty, meaningless theater — or, at least, that’s the lesson taught to most employees of most large companies. Security is your password expiring every few months, your inability to access crucial services if you’re new or a contractor, a salty message from a team you’ve never met explaining that your new initiative is not permitted, a transparently convenient excuse when someone doesn’t want to admit their real reason. Security is bullshit.

I can cite more examples from my own career as a consultancy CTO than I care to think about. The household-name company whose security team explained that cloud services were inherently insecure, until they day they decided to switch to AWS and began to explain how local servers were inherently insecure. The household-name companies who deluged us with detailed security questionnaires regarding the security of our servers, but whose assessment protocols were then unable to comprehend our “uh, everything’s in the cloud with GitHub and GSuite etc., we have no servers of our own” responses without hour-long handholding calls.

Which is why it was such a glorious breath of fresh air to hear Dino Dai Zovi‘s keynote speech at the Black Hat security conference in Las Vegas this morning. Dai Zovi, staff security engineer at Square, argued that the all-too-common model of security as a team which sits and snipes at the people who actually build things, telling them no and pointing fingers, is in fact fantastically counterproductive.

Instead, he argued, security has to change its culture, which is far more important than strategy, which in turn is far more important than tactics. Instead of security becoming a faraway flaming hoop to jump through, teams should become responsible for their own security. Furthermore, security engineers should write code to help those teams. Fuzzing is great, but as he put it, “the next level is making fuzzy easy for software developers, because there are way more of them than there are of us.”

Most importantly — and most revolutionary — he argued that instead of defaulting to saying “no” all the time, and throwing up as many obstacles as possible, security people should always start with “yes, and here’s how we can help.” The fact this is so different from today’s practice that it actually sounds comical says a lot, none of it good.

The sad truth is that still, today, in the real world of enterprise software, security as most employees and vendors encounter it tends to be at least as performatively useless as the “take off your shoes & take out your liquids” security theater of American airports. The horror stories are legion. You have your own, I’m sure. Who doesn’t?

A couple more: Once a movie studio who wanted us to do some minor web-development work, for ancillary web sites with no real connection to their intellectual property, told us we would not be able to do anything unless our (primarily remote) workforce had continuous keycard access to, and closed-circuit camera coverage of, every computer which might work on these sites … then intimated that what they really needed was just for those boxes to be checked, not for any of that to actually happen.

Another time, a big company insisted that we become SOC-2 compliant — SOC-2 being a standard birthed not in tech but in accounting, and seemingly primarily designed to provide full employment for accountants rather than, you know, meaningful security standards and processes — without caring which, if any, of SOC-2’s five “trust services” we were talking about; they just needed to tick the “SOC-2 compliant” box on their list of vendors.

It doesn’t have to be this way. Security people could be contributors, rather than gatekeepers. And if they were, everyone would find it easier, more rewarding, and more intuitive to contribute to security. Siloed security bureaucracies aren’t just slow and frustrating; in the long run they are inherently a more fundamental threat to the security of the companies infested by them than any exterior hacker or even APT ever could be. It’s long past time we all learned that lesson.

Last year, “Amazon employees met with ICE officials … to market the company’s facial recognition technology,” the ACLU informs us. Amazon VP Brad Huseman later said “We believe the government should have the best available technology.” Then, last month, Motherboard revealed Amazon has partnered with police departments around the country to create “a self-perpetuating surveillance network” of Ring products.

Allow me to be the umpteenth to say: what the hell, Amazon?

Amazon shareholders, tech employees, warehouse employees, and customers are all protesting this marketing of Rekognition to ICE, as well with the services provided by Amazon to infamous Palantir. More than 500 Amazon tech employees, in particular, have signed a letter of protest — but Amazon’s leadership does not yet seem to be willing to engage with them in good faith.

Instead, Amazon has defended itself with a “Facts on Facial Recognition with Artificial Intelligence” page, in which they seem to think the only possible problem with their technology is the possibility of false positives, and offer halfhearted half-measures as “In all public safety and law enforcement scenarios, technology like Amazon Rekognition should only be used to narrow the field of potential matches … facial recognition software should not be used autonomously.”

The technical concerns are real enough, as shown by Orlando’s cancellation of their pilot Rekognition program. But I’m tired of tech companies acting as if they have no responsibility to the public beyond fixing their bugs and getting their tech working as intended. Sometimes the intent itself is the problem.

“I feel that society develops an immune response eventually to the bad uses of new technology, but it takes time,” Jeff Bezos has said. Which is true as far as it goes. But a corollary is that, in the interim, while society hasn’t developed immune responses, we should be especially cautious about abuses. Another is that the world’s wealthiest man should not abdicate his own nontrivial part in optimizing society’s immune response. With great power, they say, comes great responsibility.

The question is not really whether Rekognition’s technical problems will be solved. The question is whether marketing it to governments and law enforcement in order to enable ubiquitous panopticon surveillance is good for any society in the world. It’s dangerously intellectually lazy to say “if it’s legal it must be OK” or “the institutions of democracy will protect us from harm, therefore as a tech maven I don’t need to think or worry about any consequences.”

In reality the law is extremely slow to react to new technologies, and our institutions are increasingly sclerotic and paralyzed — as much the tech industry will be all too eager to tell you in other contexts. Relying on them for our “immune response” is wilful negligence. Yes, technology is like fire, in that it always can be used for both good and bad; but we are rightfully far more cautious about fire in tinderbox conditions than we are during the rainy season, and we adjust our risk assessment accordingly. The unwillingness of tech companies to accept their responsibility for the risks they create is beyond worrying.

As I’ve said before, the only real, or at least real-time, check on tech companies is their own employees. So it’s heartening to see AWS employees push back against company policies — and worrying, at best, to see Amazon refuse to engage with them in good faith. The world expects better of Bezos and Amazon than dodging important questions about the risks of their technologies and passing them off as someone else’s department.

Facebook provides another cautionary tale. Hard as it may be to believe now, not all long ago they were widely respected, trusted, and even beloved. A backlash against companies like Amazon and Facebook seems at first like few minor cavils from an extremist fringe … but sometimes the pebbles of complaint suddenly accumulate into a landslide of contempt. Let’s hope Amazon sees the light before the techlash turns yet another erstwhile hero into a thoroughly modern villain.

The “10x engineer.” Shudder. Wince. I have rarely seen my Twitter feed unite against an idea so loudly, or in such harmony.

I refer of course to the thread last month by Accel India’s Shekhar Kirani, explaining “If you have a 10x engineer as part of your first few engineers, you increase the odds of your startup success significantly” and then going on to address, in his opinion, “How do you spot a 10x engineer?”

The resulting scorn was tsunami-like. The very concept of a 10x engineer seems so… five years ago. Since then, the Valley has largely come to the collective conclusion that 1) there is no such thing as a 10x engineer 2) even if there were, you wouldn’t want to hire one, because they play so poorly with others.

The anti-10x squad raises many important and valid — frankly, obvious and inarguable — points. Go down that Twitter thread and you’ll find that 10x engineers are identified as: people who eschew meetings, work alone, rarely look at documentation, don’t write much themselves, are poor mentors, and view process, meetings, or training as reasons to abandon their employer. In short, they are unbelievably terrible team members.

Is software a field like the arts, or sports, in which exceptional performers can exist? Sure. Absolutely. Software is Extremistan, not Mediocristan, as Nassim Taleb puts it.

Here in America we are now in the longest economic expansion in history. That doesn’t mean it’s about to end. But it does raise the question: what happens when it does? When the economic cycle finally inverts into recession, perhaps unexpectedly and with no obvious cause, perhaps because of some geopolitical crisis? We know what happens to the overall economy — but what happens to the tech sector?

Last time around, the answer was: “surprisingly little.” Late 2008 saw widespread expectations that tech was about to crater along with all other sectors. This was the era of Sequoia Capital’s infamous “R.I.P. Good Times” deck. They could hardly have been more wrong.

Instead the Great Recession everywhere else was more of a speed bump in Silicon Valley. In fact it was arguably the birth of the modern startup boom. The number of startups tracked by CrunchBase rose rapidly from 1200 in 2007, by at least 25% every year, to 5700 five years later.

Meanwhile, YoY revenue growth at Google did drop into single digits in 2008-09 … but only for a few quarters, never actually stalled, and quickly returned to 20%+. Amazon growth never fell below double digits. Apple’s went negative for one lonesome quarter, but otherwise stayed north of 20%.

Go back a little further, though, and you come to the dot-com crash, in which tech was — of course, and rightly — hit hard. This was not entirely a bad thing. Even at the time it was clear that to some extent the chaff was being sifted from the industry, albeit at widespread painful personal cost. However, that unpleasant correction set the stage for the nonstop growth since.

So: will the next downturn parallel 2008, or 2001? Will tech growth slow but not stop, or has the time come again for a great economic threshing which will separate wheat from chaff? Or will the next downturn take its own, very different shape? Tech is both much larger now, and much more tightly woven into every other sector.

One could argue a recession will accelerate the demise of legacy businesses and systems, and their replacement with newer, more efficient, software- / API- / AI-driven ones, so the tech industry will actually see a net benefit from any downturn. I’m skeptical of this vulture theory, though. A sinking tide ultimately lowers all boats.

Still, the Big Five — Alphabet, Amazon, Apple, Facebook, Microsoft — will probably sail though relatively untouched. They may stop hiring as aggressively (Google has grown by 18,000 employees to 107,000 in just the last year) but they have enough cash on hand, and diverse enough revenue streams, to weather a storm. Even Google is no longer totally reliant on ads, now that it’s making $8 billion/year from GCP.

The one possible exception is Facebook, which remains the most precarious of the Big Five, given the increasing vitriol it attracts, its relative lack of room to grow in wealthy markets, and, probably most important, the fact it remains a one-trick revenue pony. Could the next recession see Facebook drop from Big Five status? Very possibly.

Lesser companies, though — those outside of tech proper, and even the herd of growth-stage unicorns — will almost certainly be forced into major layoffs. Will the newly-laid-off flock back to school, as happened in 2008? Or will they rush to roll the dice with new startups? Given the rising costs of, and increasing skepticism aimed at, traditional higher education, it seems likely that instead we’ll suddenly see an enormous bloom of new startups.

On the one hand, this means more ideas flung at the proverbial wall, and so more innovation. But on the other, these will presumably mostly be low-cost web / app startups, which as I’ve argued before are increasingly played out, from people who are founding them as a reaction to being laid off rather than because they have a vision they can’t ignore, in a downturn during which funding will presumably grow ever harder to acquire.

There’s a school of thought which says more startups is always better, and another which says that bad startups are like an algal bloom, choking the oxygen (money, attention, talent) from the ambient environment and making things worse for the overall ecosystem. It seems likely that the next downturn will serve as a natural experiment testing these hypotheses. Let’s hope the former is more true. And if (but only if) you have your own burning startup idea in you, it might be best to beat the eventual recessionary rush.

In the house in which I grew up, a single framed newspaper front page loomed over us. “MAN ON MOON“, it declared jubilantly, in an enormous, suitably momentous typeface. Subheadings included “‘It’s very pretty up here … a fine, soft surface’” and, of course, “A giant leap for mankind.”

One leap forward, three steps back. That newspaper was dated fifty years ago today, as I type this. Apollo 17 — “the most recent time humans have travelled beyond low Earth orbit” — took place in December 1972, a date at which a large majority of humanity today was not yet born.

Space travel is not the stuff of science fiction. It is the stuff of history books, of yesteryear, of scratchy black-and-white TV, of that yellowing newspaper cover of my youth.

What happened? I mean, lots, but ultimately the costs were too high, the tangible benefits too nonexistent, and the Space Shuttle was too much of an unmitigated disaster from start to finish in every way.

What happens next? Well, there we have a quick answer: we’re going back! America is going to land the first woman on the moon by 2024! Absolutely!

…you’re absolutely right to be very skeptical.

There are a numerous “lunar exploration architectures,” or ways to return to the Moon. My friend Casey Handmer, a physicist, space enthusiast, and former levitation engineer, itemizes them in this excellent blog post from a few months ago. One of them is NASA’s proposed Lunar Gateway, which will place a space station into high Moon orbit, from and to which lunar landings will descent and return.

Is this a good idea? …Well, it’s an idea. But it’s better to have a plan and to be making progress on it that not, right? Right? …Except the last few months have seen a bewildering flurry of chaos and confusion which makes NASA’s lunar program more closely resemble a headless chicken than a smoothly oiled machine.

First, an unsigned five-page document, riddled with spectacular grammar and spelling errors such as

There is no feasible means to redesign it or any other heavy left rocket to more transport the lunar landing elements

(!) was shared by “the Gateway program office at Johnson Space Center in Houston,” reported Ars Technica. (Casey wrote an exegesis of this dubious document, if you want to see it deconstructed in detail.) Then, earlier this month, NASA demoted and replaced its executives in charge of human space exploration.

Does this sound like the behavior of a lunar project accelerating to an on-target, on-time landing? Or more like a bureaucratic catastrophe thrashing frantically while failing to get anywhere at all? “As it stands, few experts believe NASA’s plan for returning to the moon in 2024 is feasible,” says Vox mordantly. You don’t say.

I’d be so delighted to see a woman walk on the moon in 2024. But I’m not exactly holding my breath. By 2032 we will have gone sixty years, three generations, between human lunar excursions. Some people think we shouldn’t go back at all, that there is too much of more importance to do here on Earth. I disagree, strongly, but I think even they might still agree that it would be sad beyond belief if, if and when we next land on the Moon, there’s no one around who remembers the last time.

The techlash is well underway. Blame Facebook! Blame Google! Blame Amazon! (Apple and Microsoft still seem relatively immune, for now.) And, I mean, there’s a lot of objectively blameworthy behavior there, especially in that first case. But I find myself wondering: why does the ire go beyond that, into irrational territory? What is it about the tech industry that makes it such a particular target?

There are a sizable number of people out there who think — no, who don’t just think, who take as a given, as something no right-thinking person would ever dispute — that the most recent US presidential election went the way it did purely because of Facebook. Russians! Cambridge Analytica! This is of course nonsense. (Hello, James Comey. Hello, Citizens United. Hello, mass media who trumped up Hillary Clinton’s email non-scandal for months.) Why is that?

I think it’s obvious that media treatment of Facebook and Google has grown much harsher since they have begun to realize that Facebook and Google are rapidly devouring the advertising money on which the media feed. I’m not suggesting that publishers are telling journalists to be critical; I’m suggesting that journalists are individually well aware of what’s going in their industry and are individually, but en masse, aligning against the threats to their collective livelihood.

But it’s not just that. There’s an odd tinge of betrayal, and also of hope, to the techlash. I say “odd” but it makes perfect sense. People are especially angry at the tech industry because they view it as the last engine of power which actually might change. It’s the old story about the drunk looking under the lamppost for his keys, writ large.

My theory is that people no longer believe that there is any hope of meaningfully changing the venal rentier systems of Wall Street or Washington. A learned helplessness has set in. It is understood that those titanic forces are beyond all hope; that the system which is meant to control them has been corrupted, by regulatory capture, gerrymandering, court-packing, and so forth.

No vitriol or protest will affect Goldman Sachs or Mitch McConnell. People vent fury, and come together to fight individual horrors like the border camps, but they don’t seriously think the overall system can meaningfully change.

Technology, though — we’re all about change. …Right? We’re the shapers of the future. We’re the hope for a meaningfully better world. …Right?

But as the tech industry has become more powerful, it has also grown more cautious, and more conservative. Over the last decade its influence has attracted an influx of the kind of people who in another era would have gone to Wall Street or Washington; establishment scions who may take on the mantle of subversion, because it’s fashionable in California, but don’t actually intend any.

(This is why I like the blockchain / cryptocurrency world; it’s full of people who want to change the established system, believe it’s possible, have a vision of a new and better order, and think they’re implementing it. Sure, this also means they attract all kinds of charlatans, cheats, and lunatic fringes — but whether they’re right or not, compared to the sclerotic mainstream, their approach is hugely appealing.)

I’m not saying mainstream change is impossible; just that the system has bred learned helplessness to that effect. I’m not saying tech is now a bastion of conservatism; just that it’s less quietly subversive than it used to be.

And I’m by no means saying that Silicon Valley doesn’t deserve criticism. I am, however, saying that raging at it for the absence of outcomes that only Wall Street and Washington can bring is pretty counterproductive. Better to remember that often the fault lies not in our social media, Horatio, but in our elected representatives; and if that system of representation itself has gone awry, there’s may not be a lot that technology itself can do about it.