The Effect of Google’s Late 2018 SEO Algorithm Changes on Multi-Discipline Sites

Starting around October 1st I saw something catastrophic happen to my incoming traffic from Google.

Compared to the beginning of the year I have gone from around 10,000 pageviews a day to around 5,000—a 50% loss in traffic.

Once I noticed (which took a while), I started reading a ton of articles on all the various potential causes. Finally, after finding a few good ones and talking to my friends in the SEO business, I think I now have a good idea of what happened.

Keep in mind this is still theory, so I could find out at any moment that I was wrong.

Google released a number of major algorithm updates in the latter part of 2018. And at least one of them focused on what they’re calling Your Money or Your Life, which they abbreviate to YMYL.

Basically, they’re specifically trying to find—and punish—sites that make false claims about things that matter. And one of the ways they’re doing that is by trying to judge a site’s authority on particular topics.

Be sure to review Google’s SEO Guidelines.

There’s another tangent to this, which is a concept called “staying in your lane”. So if you’re a lawyer specialized in European Privacy, and you start going off about the Higgs Boson and how everyone’s wrong about string theory, well, Google might conclude that you’re talking out of your ass. The implication is that your overall trust ranking will fall as a result.

And that brings us to me and this website.

The other thing Google focuses on is called E.A.T—expertise, authority, and trust.

I’m a security guy. IoT Security. Application Security. I’m learning more and more about AI and ML, and have smart (but cautious) things to say about those topics.

But I also write extensively about things that have nothing whatsoever to do with security or technology.

  • Philosophy
  • Futurism
  • Politics
  • Creativity
  • Happiness
  • Etc…

To make things even worse, I also do a show called Unsupervised Learning, which is a podcast and newsletter about “Security, Technology, and Humans”.

An excerpt from a recent newsletter

It’s all over the place. I go from Chinese espionage plots to potential cures for cancer, to the future of work, to fiction book reviews.

I don’t think Google has any idea what to do with the site.

The obvious fact here is that both of these campaigns: “Your Money or Your Life” and “Stay in Your Lane” are coming from the urgent need to combat fake news. They’re looking for multiple ways to get there.

If I were building solutions to do this I’d be doing something like this:

  • Find out what an author is talking about
    • Parse their content and do topic analysis
  • Rate their authority on each of their topics
    • Look at inbound links
    • Evaluate samples of their factual claims in topic
    • Look for credentials on LinkedIn and About pages
    • Make sure they’re standing behind their claims
  • Lower the rankings of sites who score badly

I get it. It makes sense. And I admire them for doing it, because it’s a matter of literal national and global security.

The problem is that sites like mine seem to be getting destroyed in the process. And it’s clear why that’s the case.

If a site is talking about many disparate topics—especially in an open and tentative way—it’s extremely difficult to tell the difference between a solid but curious intellectual and a complete idiot. So they bring the SERP hammer in both cases.

For Google, their ideal (trustworthy) site is one that talks about one thing and one thing alone, and does so with good sourcing, with clear authors who have their backgrounds right there in the open, and that never branches into topics they’re not experts in.

Again, I get that. But that’s no way to be an intellectual. Not for me anyway. I find the world fascinating, and I’m going to talk about it. For a number of reasons I am going to be more careful with claims in some cases, more careful to add sources when the argument is helped by data, etc.—but I can only flex so far.

This site is fundamentally a personal project. It’s where I learn, and then organize and share what I learn. And I learn by consuming and thinking (out loud, on “paper”).

So I’m not sure how screwed I am. It could be that I have permanently lost half my traffic—or maybe that’ll continue to fall.

But what I hope is that Google will eventually figure out that people like me exist, and that sites like mine exist, and they’ll adjust their Fake News algorithms to take them into account.

One friend of mine—Thomas Zickell—believes that the answer is hub pages, where you make your categories super clear to Google through top-level navigation. This way (the theory goes) Google can clearly see that you have multiple lanes, and will hopefully judge you independently for each of them.

So ideally you could then rank extremely high for areas where you’re a careful expert, and where you have unique and creative thought, and then less high (or not at all) where you’re just riffing on ideas outside your expertise.

I’m betting that’s what Google is working on solving, and that these first swipes of the sword in 2018 were basically emergency efforts to get the house in order.

If you know anyone at Google who might know about this, please let me know.

If I had to guess, I’d say that 2019 will see a number of adjustments to those initial efforts that are designed to bring multi-discipline sites back into focus without opening the gates to the garbage that used to rank well for the wrong reasons.

Meanwhile, I’ll be working on other SEO hygiene trying to get some of my traffic back while they figure it out.


  1. The other thing I’ll be trying in the meantime is making my overall content categories more clear in the top navigation.

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Source: DM
The Effect of Google’s Late 2018 SEO Algorithm Changes on Multi-Discipline Sites

The Difference Between Decompilers, Disassemblers, Debuggers, and Hex Editors

For people looking to get into reverse engineering, the barrier to entry can be fairly steep—starting with the terminology. Here are the differences between a few key tools you will encounter on the path.

  • Decompilers reverse binaries into higher-level languages, like C++.
  • Disassemblers reverse binaries into assembler language.
  • Debuggers allow you to view and change the state of a running program.
  • Hex Editors allow you to view and edit the contents of a binary.

Another set of things to know is the different kinds of programming languages. Here they are—from low to high levels of abstraction from the CPU.

Modern languages like Python and Ruby are considered high-level languages, but are functionally a level above.

  1. Machine Code is the 1’s and 0’s executed by a CPU.
  2. Assembler is the next level up, and is the first human-readable level, but just barely.
  3. High-level—also called Compiled—languages include C and C++, and they’re the first level of functionally readable code.
  4. Interpreted Languages are languages like Perl, PHP, Python, and Ruby, which require an environment to run them, trade readability for speed.
  5. Bytecode Languages are languages like Java and .NET, which are cross-platform like Interpreted languages, but with similar readability and speed to compiled languages.


  1. To go from binary to assembler, use a disassembler.
  2. To go from binary to higher lanugage, use a decompiler.
  3. To edit a particular part of a binary’s contents, use a hex editor.
  4. To interact with an application as it’s running, use a debugger.

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Source: DM
The Difference Between Decompilers, Disassemblers, Debuggers, and Hex Editors

Unsupervised Learning: No. 157

Unsupervised Learning is my weekly show where I spend 5-20 hours finding the most interesting stories in security, technology, and humans, which I then curate into a 30-minute podcast & companion newsletter.

The goal is to catch you up on current events, show you the best content from around the web, and hopefully give you something to think about as well.

Subscribe to the Newsletter or Podcast

?️ Security News

A Chinese cyber operation being called Cloudhopper saw China hacking multiple large companies, e.g., HP, IBM, etc., and then going after their customers. This is just another thread in the quilt that I talked about in last week’s member edition of the show. China is playing a very organized long-game when it comes to gathering and exploiting information. I’ve always thought this was a smart play, i.e., going after vendors, MSPs, and other providers that already have links to many of the top companies they want to target. Link
Attackers are phishing for 2FA codes as well as the initial password. This is an obvious risk, which now seems to be paying off for some, but the solution isn’t obvious and simple. One option might be using systems like Okta where you get prompted and you simply accept (rather than passing a code), but that can be scripted through good narrative attacks or social engineering as well. This isn’t so much a technical problem as it is people not realizing that they’re being manipulated. The trick is to make people immune to their own ignorance, which is a long ways from a solution. Link

A couple of people have been arrested for flying drones near Gatwick airport in the U.K. It’s fascinating to me that we’ve not seen more havoc caused by drones—especially in regards to airports. It seems trivially easy to cause disruption this way, and fairly easy to fly explosives near a plane or to try to fly into the engines or something. It just feels like the remote nature of drones make them an ideal platform for all sorts of high-impact attacks. Link

Advisories: CiscoInternet Explorer

Breaches: Caribou Coffee

⚙️ Technology News

Scientists at Stanford applied an ML algorithm to around a billion satellite images and found nearly every solar panel in the U.S. Link

Kroger is starting completely autonomous grocery delivery in Scottsdale, Arizona. Link

Samsung is performing many of the functions traditionally done by governments in their country, like providing healthcare, housing, education, etc. It also represents around 15% of South Korea’s economy. Link

This new Japanese robot called Lovot is designed to be loved, not useful. Link

??  Human News

We appear to have an extremely promising new treatment for Alzheimer’s, which has seen ultrasound being used to remove proteins on mouse brains to restore memory. Human trials are starting soon. Unfortunately, it could still be another 10 years before treatments are generally available. Hopefully they can speed that up if the trials go well. Link

That “gut feeling” we get is caused by actual neurons in our stomachs. Link

As it turns out, making something harder to read does actually force you to pay attention—which helps with retention. This must be why so many insufferable people and publications use a microscopic font. I still don’t like it. Link

It’s getting dramatically more expensive to go to the ER, and someone did an analysis of over 1,000 bills to see where the big items are. It turns out to be things like walking in the door, getting over the counter pain-killer, etc. Insurance companies and hospitals are making increasing sums of money, while people can no longer afford to get sick. Same story. Link

? Ideas, Trends, & Analysis

Everything is a Sensor Now — How the combination of sensors and algorithms will dramatically alter society. Link

The Difference Between a Penetration Test and a Red Team Engagement Link

Japan has a serious population crisis, and it continues to worsen. Link

Conscious Thought is an Illusion Link

? Discovery — Drag and drop countries to see their relative sizes. Link

How to Win Link

Deep Learning to Solve Challenging Problems Link

? Notes

Light edition this week given the slower news during the holidays…

Currently Reading: Strangers to Ourselves
Recently Finished: This Idea is Brilliant, The Four, Uncle Vanya , Hello World
Just Purchased: Elements of a Life, Astrophysics For People in a Hurry, Alibaba—The House That Jack Built

?️ Recommendations

Everyday Espionage — A podcast by a former CIA agent that teaches you the basics of tradecraft. Link

How to Delete Facebook Link


“A person is what they think about all day long”.

~ Ralph Waldo Emerson

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Source: DM
Unsupervised Learning: No. 157

The Unsupervised Learning Gift List

I often find myself in the unpleasant position of wishing I could send people a gift, but not knowing what to get them. What I like to get people are smallish things that produce absolute delight, like the perfect knife, whiskey glass, or end-table book.

So what I’m going to do here is capture my list of items to pick from when the occasion arises.

1. Yoshiharu Hamono Penato Knife

This is an extremely elegant knife that you can keep near the door, for opening envelopes and Amazon boxes.


2. The Tungsten Spinning Top


This Tungsten Top is like a fidget spinner, but more timeless.

3. Fredrick and Mae Playing Cards


This is a unique and beautiful set of playing cards.

4. RAUK Heavy Tumbler


This is a legit whiskey glass with some weight to it.

5. 8.25″ Kyocera Ceramic Damascus Sashimi Knife with Black Blade and Pikka Handle


This is an extraordinary but non-traditional Sashimi knife with a ceramic blade and a black appearance.

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Source: DM
The Unsupervised Learning Gift List

Sensors + Algorithms Are the New Camera

Don’t call them cameras or microphones anymore. Those are human-centric names, and humans are about to be the Neandertals of detection.

I first heard this idea regarding cameras from Benedict Evans.

What we’re moving towards is a world where sensors are everywhere—and of multiple types:

  • Visible light
  • Non-visible light
  • Radio waves
  • Sound
  • Vibration
  • Chemicals
  • Radioactivity
  • Air pressure
  • Etc, etc.

These sensors will be sold as single units that can be deployed at scale by cities and companies, and they’ll be installed in everyday objects like buildings, street lights, sidewalks, park benches, restaurants, corporate workplaces, walls, ceilings, vehicles, etc.

In the past we would have had giant teams of humans looking at all this data. Well actually, we wouldn’t have been able to deploy them because there aren’t enough people to look at the data. But now we can—because of algorithms.

The combination of sensors and algorithms is about to become the most important tool for corporate and civic management.

Algorithms watch 24/7. They never get tired. They can update automatically across the entire world that’s using them. They can constantly improve based on new data. And they will be able to combine information from multiple sensor types into insights that we could never produce as humans.

Here are some examples of the types of things we’ll be able to do:

  • Measure the pharemones and body language in a room to estimate the chance of a fight breaking out.
  • Scan the way people are walking to determine if they’re likely carrying weapons.
  • Watch facial expressions and listen to voices to determine the current emotional state of various people.
  • Watch people’s body language, combined with body scans, combined with facial recognition, combined with their entire background, to determine their threat level in public places.
  • Scan everything about a public area to determine its current danger level, who the most dangerous people are, who should be controlled first if authorities arrived, where the best vantage points are for police, etc.

These probably seem scary to you, but they’re coming. My role is to make you aware, not to tell you it’ll all be ok.

And there will be positive, consumer-focused versions of these things too—like finding the best place to propose, the best place to go for a hike based on visibility and temperature and foot traffic.

The possibilities for companies’ efficiency, for city management, for optimizing consumer experiences—are nearly endless.

Everything starts with data, and that’s what these sensors will provide. They’ll tell us the current state of the world at any given moment—with more sensors in more places (and better capabilities and sensitivity) giving us even more data freshness and resolution.

That data will be fed constantly into millions of algorithms working continuously to provide various types of value—to different audiences. Some sensors will be publically available, but many will be restricted by a government or corporation for official use.

If you think this will dramatically affect privacy, you’re right.

Privacy in the future will not be about whether someone has your data—it’ll be about whether the right people have it, and are being careful with it.

That your data is out there will be a given.

Anyway, the next time you look at a camera, think about how primitive it is. The idea of a sensor that only takes one kind of input for review by a human. A human that sleeps and defecates and gets bored and distracted.

Sensors of the future are mutli-dimensional and linked directly to algorithms that continuously interpret the inputs.

The interesting thing about this is that the hardware doesn’t need to be upgraded that often. Or, at least for quite some time, most of the upgrades to the sensor and algorithm pairing will come from improvements to the algorithms.

You may think that I’m a bit to bullish on this prolific sensor stuff, and that I’m ignoring the Black Mirror abuse cases that can potentially come from them.

I’m not. I’m not ignoring them.

I see this going both ways—Black Mirror and also a far more advanced Star Trek. And I’m pulling for the latter.

Either way we can’t stop what’s coming.

AI reminds me a lot of the gun debate in that way. We don’t want dangerous people to have it, but if people are solid then it won’t matter if they do.

A healthy and kind society can have these tools (see weapons) and not cause harm, but the moment something goes sideways the opportunity will rise for abuse. And at that point you don’t want the power-hungry teenager to have insights to everyone’s location, personal preferences, etc.

Just get ready. That’s what I’m saying.

Cameras and mics become sensors. Algorithms replace the humans on the other end. And the sensors will be deployed everywhere.

You’re going to be able to look at a city center scene and see unbelievable things using this technology. Millions of algorithms parsing thousands of inputs from multiple perspectives, and then creating analysis and visualizations for human decision-makers (in addition to the automated choices that will be done without any intervention at all).

It’s coming. Get ready.

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Source: DM
Sensors + Algorithms Are the New Camera

The Difference Between a Penetration Test and a Red Team Engagement

One of the most frustrating things to me as a security person is having sales and marketing types confuse the different types of security assessment.


And among those types of assessment, the pentest and red team are two of the most commonly mangled. First, let’s start with similarities.

  • They’re both types of security assessment, meaning their goal is to improve the security of an organization.
  • They’re also both based on behaving—to some degree—like an attacker.
  • They’re both focused on results rather than coverage—so they aren’t designed to tell you everything wrong with a company, but rather to show you the specific issue(s) they uncovered.
  • They both should be used by higher maturity customers, i.e., customers that have already gone through multiple rounds of vulnerability assessment and patching.


Sales and marketing types love to mix these two together based on whichever one gets more reaction from the customer.

As you can see, Red Team engagements and Penetration Tests have a lot in common, but they are also quite distinct from each other as well.

  • Penetration Test: A time-boxed technical assessment designed to achieve a specific goal, e.g., to steal customer data, to gain domain administrator, or to modify sensitive salary information.

  • Red Team Engagement: A long-term or continuous campaign-based assessment that emulates the target’s real-world adversaries to improve the quality of the corporate information security defenses, which—if one exists—would be the company’s blue team.

The origin comes from the military, where an independent group that challenges an organization to improve its effectiveness.


Penetration Tests are short-term challenges to one’s security posture, and ideally should be done when you think you have your stuff together and you want someone to validate that assumption. They can be network-based, use physical attacks, social engineering, phishing, be application-focused—or all of the above.

Today the term is quite diluted, with Penetration Testing meaning something different to almost everyone. And there are thousands of companies that will sell you one. The problem is you have no way of knowing if you’ll get a Nessus scan or a custom, high-quality manual assessment.

Somewhere around 2017 the Red Team became the assessment de jour for much of the industry. The problem is that only a tiny percentage of security services companies can actually execute them.

The main distinctions between Penetration Test and Red Team are:

  1. Duration: Red Team engagements should be campaigns that last weeks, months, or years. The blue team and the target’s users should always be in a state of uncertainty regarding whether a given strange behavior is the result of the Red Team or an actual adversary. You don’t get that with a one or two week assessment.
  2. Multi-domain: While Penetration Tests can cross into multiple domains, e.g., physical, social, network, app, etc.—a good Red Team almost always does.
  3. Adversary Emulation: The item that separates a random Penetration Test from a Real Red Team engagement is that Penetration Tests generally involve throwing common tools and techniques at a target, whereas a Red Team should be hitting the organization with attacks that are very similar to what they expect to see from their adversaries. That includes constant innovation in terms of tools, techniques, and procedures, which is in strong contrast to firing up Nessus and Metasploit and throwing the kitchen sink.


In general, Penetration Tests and Red Team engagements are more likely than Vulnerability Assessments to use exploitation, or proofs of concept, to show that vulnerabilities actually exist. But it’s important to understand that exploitation is not necessary if the evidence is obvious enough to the receiver of the report.


You can ask for a Pentest or Red Team as a low-maturity customer, but you’ll just be wasting money.

  1. Both Pentests and Red Team engagements are based on acting like an attacker, they’re focused on results rather than coverage, and should only be requested by high-maturity customers.
  2. Penetration Tests are usually very short engagements of one to two weeks, whereas Red Team engagements should be campaign-based, long-term, and/or effectively continuous.
  3. Red Team engagements are usually cross-domain, where only some Penetration Tests have that quality.
  4. Red Team engagements should constantly create new tools and techniques to emulate their adversaries, while Pentest groups usually use off-the-shelf frameworks and standard pentester tactics.

This should help you tell these two assessments apart, and if you want to know when to use which kind of assessment, you can read my guide:

When to Use Vulnerability Assessments, Pentesting, Red Teams, and Bug Bounties


  1. The only real reason to do a Penetration Test in a low-maturity company is to bring skeptical decision-makers to religion by showing them that yes—they really should be listening to their security person.

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Source: DM
The Difference Between a Penetration Test and a Red Team Engagement

Unsupervised Learning: No. 156 (Member Edition)

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week.

Become a member to get access immediately

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Source: DM
Unsupervised Learning: No. 156 (Member Edition)

Medium Just Became an Even Worse Option for Blogging

Medium has quietly been making a series of changes that are all bad news for writers who still publish articles on their platform.

I discovered the most recent—and most significant—change when I emailed the Medium support a few days ago asking to update the canonical links of the e-Residency article that I had just re-written and updated on

It’s no longer possible to change canonical links of articles.

Source: Posting Evergreen Content on Medium is a Terrible Idea | Behind the Scenes of Nomad Gate

I wrote a while back about how Medium isn’t a great option for blogging. The basic idea is that it looks out for itself, not for you.

Well, this new move on their part makes that even more pronounced. You used to be able to canonically link to your own site when you post to Medium. But now they’re killing that off. They had a plugin that could do it, but they’ve stopped maintaining it.

This reinforces my recommendation regarding writing online:

  1. Keep everything on your own site as much as possible.
  2. Use very few third-party services, and ideally none. This means anything that involves third-party domains that you don’t control fully.
  3. Your domain is everything. It’s your center of truth going forward for decades. Protect that source of truth.

So whether it’s Facebook, Medium, Tumblr—whatever—stop that, and get on your own domain.


Your domain is your home, and anything you do away from there will end up hurting you when it either 1) goes away, or 2) changes management and starts doing things you don’t like and cannot accept.

As much as possible.
On your own domain.

Subscribe for one coffee a month ($5) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month.

Source: DM
Medium Just Became an Even Worse Option for Blogging