Daniel Miessler's Blog, page 42

We should have a new internet group called The Vigilant—a group of open-source code maintainers that steward and protect our top 1000 open-source applications.

Here’s how it could work.

Step 1: A group of internet technology and security leaders are elected and put into place. They are the oversight board of around 25 people who will vet whether someone can become part of The Vigilant based on reviewing resumes, commit history, etc.

Step 2: The oversight board then finds the top 1000 open source applications.

Step 3: The oversight board selects the first Vigilant members from people who have been maintaining those codebases for years.

Step 4: The oversight board, and the first Vigilant, go on a marketing tour to raise money from multiple sources—most importantly the MANGA companies and the government—for an annual budget of tens (or hundreds) of millions of dollars for critical infrastructure safety.

Step 5: That money is then paid out to The Vigilant as supplemental income for securely maintaining the code that runs the internet.

Step 6: The oversight board will also create and distribute elite-level swag for The Vigilant, including The Vigilant Coin, making it very respectable to be part of this group And once you’re part of it, you always are.

TL;DR: We create an organization that raises our internet maintainer heroes to the status they deserve and provides funding to actually pay them something for their invaluable work.

This is UL Member Content

Subscribe

Already a member? Login

The best way to create, predict, or validate future tech is to consider how it addresses a fundamental human need. We can see this in previous technology jumps.

Blogging allowed people to be heardThe iPhone made people powerful through access to information and their network Facebook allowed people first to stay in contact, and then to influence others Gaming and the metaverse allow people to reinvent themselves as someone more powerful and attractive

One fundamental human need is to signal our desirability to others. Here’s a good capture of signaling from Spent, my favorite book on the topic.

Many products are signals first and material objects second. Our vast social primate brains evolved to pursue one central goal: to look good in the eyes of others. Buying impressive products in a money-based economy is just the most recent way to fulfill that goal.

Geoffrey Miller, Spent

When you think about NFTs—and really any other technology that you’re contemplating the future of—don’t think about the tech itself. Think about what fundamental need it fills.

NFTs are digital signaling. They will allow people to efficiently and scalably display their value to competitors and mates.

In this way, NFTs are directly linked to power and sex, which humans care a lot about.

Think about the use cases you’ve heard of.

Art collectionsOne of a kind itemsExclusive sets of itemsSpecial in-game gearUnique skins for characters Etc

They’re all the same. They’re ways of conveying how special you are. And I ask you, is there anything more important to humans than displaying how special they are?

There are, actually. Two things are more fundamental: Survival and Reproduction. But it turns out that appearing elite and special to others helps you with both.

This will use AR in meatspace, and native displays within VR/Metaverse.

So with the combination of AR/VR/Metaverse we’re about to see the digitalization of signaling at scale.

When you look at someone in meatspace you’ll see indicators on their clothing, or above their heads that indicate that their luxury items are authentic, along with their freshness (season) and cost of purchaseYou’ll be able to not only see that the item is authentic, but that it’s one of N small number. Think: sneakers, purses, watches, cars.Displays can also indicate that items were completely bespoke pieces, created by the artist/designer, along with authenticated signature of that creator.

The tech platforms will handle all the validation of the item itself, its true ownership by the wearer, the fact that the item in question is the one they’re wearing, and that the particular signature being displayed actually came from the original artist.

Trillions?

Think about the size of the luxury goods market. Now think about how many billions are lost to the fake luxury goods market.

NFTs will help people signal their value in a way that is difficult or impossible to forge, which will exponentially raise the effectiveness of that signaling—and the markets that enable it.

SummaryA bet against NFTs is a bet against signaling. A bet against signaling is a bet against human nature. A bet against human nature is a bad bet. A bet against NFTs is a bad bet.NotesMy friend Joel Parish points out that you don’t actually need Web3 for this, which I totally agree with. But it’ll likely be done first on Web3 just because the ideas are rising to prominence together.

[image error]

[ We’ve extended the Black Friday offer for one additional day due to Cyber Monday. You have until the end of today to use this link to get $20 off UL Membership! ]

SECURITY NEWS

CISA has released Capacity Enhancement Guides for improving mobile device security for both consumers and organizations. It’s a collection of guidance for topics such as countering phishing, securing browsers, implementing strong auth, and others. More

France was about to buy Pegasus from NSO Group, but with news that the group targeted French President Macron, and the US ban on the company, the deal is at risk. More

Apple is also suing NSO Group, citing the use of the company’s tool by opressive regimes to spy on innocent victims. More

In related news, Israel just announced that they’re banning the export of hacking and surveillance tools to 65 new countries. This supposedly brings the allow list down to 37 countries. More

Ross Bevington, a security researcher at Microsoft, says he looked at 25 million SSH brute force attacks across Microft’s sensor network and found that 77% of attempts were between 1 and 7 characters. Guesses over 10 characters were only seen in 6% of cases. More

Apple is going to start notifying users if they’re being targeted by state-sponsored actors. Targeted users will get a notification in their AppleID account, as well as an email and text. More

Palo Alto’s Unit 42 used a honeypot of 320 systems to detect attacks against internet-facing misconfigurations in daemons like SSH, RDP, and Postgres. They said 80% of the systems were compromised within a week, and some were hit within minutes. More | Report

David Shütz was awarded $10,000 by Google for finding vulnerabilities in Google Cloud Platform. More

Ukraine is pushing to upgrade its navy due to increased concern around Russian agression. More

Incidents:  GoDaddy reported an incident due to a flaw in a Managed WordPress installation. More A new piece of malware called ‘Tardigrade’ is targeting biomanufacturing facilities. MoreVulnerabilities:  vSphere Web Client | 7.5 More Insulet OmniPod Insulin Management System | Allows for a replay attack that can inject insulin. MoreCompanies: Shield-IoT raises $7.4 million to do IoT security. More Resilience raises $80 million in their Series C to do Cyber Insurance. More
TECHNOLOGY NEWSSamsung is building a $17 billion chip factory in Texas, meaning more of the world’s chips will be made in America. More

Android users are evidently about to have a better text reactions experience when talking to iPhone users. Previously, reactions would come in out of order and generally looking wonky, and there’s an update rolling out now that will make them behave more like native Android reactions. More

Tile is being acquired by Life360, a location tracking company. More

Companies: HP reported $17 billion in revenue, up 9% over last year. More
HUMAN NEWSScientists are rushing to figure out how much current vaccines defend against COVID’s new Omicron variant. Meanwhile, Moderna says they could have an updated vaccine early in 2022. More

South Africa is complaining that they did the right thing by alerting the world to Omicron, but that they’re now being punished for it. Fair point, it seems. This is a good way to encourage countries to stay quiet in the future so they’re not the one listed as the source. More

California wants to delay the teaching of Algrebra until 9th grade across the entire state. A lot of people are upset about this, including me. Progressives need to learn that you can’t reduce the gap between the top and bottom by lowering the bottom. Students with education-focused parents (largely immigrants) will still learn advanced math early and they’ll still get into the best schools and get the best jobs. This kind of policy just pulls everyone else futher behind them. More

If you were waiting for a true sign of inflation, most items at the Dollar Tree will now cost $1.25. More


CONTENT, IDEAS & ANALYSISThe Unsupervised Learning Daily Routine — I finally completed my daily routine writeup for the UL community. It’s not just the list of steps, but also includes annotations for why I included each item and the research behind it. It’s a living document that I’ll continue to tweak, and we’ll be able to track the changes over time in Github. More


NOTESI’ve been an advisor for a startup called Opera Event for around 5 years, and my buddy Andrew who works there is heading out to DCentral Miami this week. Opera Event is a community-focused technology platform that helps communities, guilds, and DAOs take control of their user data, incentives, and currencies. If you work at OpenSea or any NFT/Web 3.0-focused company, or know someone who does, hit him up at andrew@operaevent.co to meet up there!

I’m somehow reading like 7 books right now. Not bragging. It’s sloppy and I need to clean it up. Basically need to push through or abandon a few.

I just started Assassin’s Apprentice, and I’m really enjoying the spin-up. Feels like an origin story with potential!

UL had a great bookclub today, and the book absolutely blew us away. It was way better than I thought it would be. The book was The Design of Everyday Things. This book is going into my Read Frequently list for sure.

I’m working on tons of content for the site right now, some general and some for members. The list includes a new Mental Models piece, which I’m really excited about.


DISCOVERY  

COVID Deaths by Vaccination Status — A brilliant presentation of the data around this topic. Spoiler: In the US, people vaccinated with Moderna are around 14 times less likely to die of COVID than someone who’s not vaccinated. Note, this is before boosters, which will widen that gap significantly. More

Another meta-analysis of the impact of Vitamin D on COVID infection has found that, “The limited currently available data suggest that sufficient Vitamin D level in serum is associated with a significantly decreased risk of COVID-19 infection”. More

The Verge reviewed the new Generation 3 of the Oura Ring. Big takeaways: positive, with lots of features are still coming, and it now requires a subscription. More

The Age of the Creative Minority More

Bugcrowd is hiring a Technical Project Manager. More

Don’t Soften Feedback More

Hardening your SSH Config File More

Practical Security Recommendations for Startups With Limited Budgets More

Maderas’ favorite OSINT resources. More

CVE Trends — A wonderful way to monitor trendting CVEs on Twitter, written by Simon J. Bell. More

SSH-Audit — Audit your client and server SSH configs. More | by jtesta

Cracken — A smart-wordlist generator. More | by Shmuelamar


RECOMMENDATIONS

I’ve been studying physical and cognitive health for the last few years—with a special focus on longevity and happiness. After reading a couple dozen books on everything from diet, exercise, fitness, meditation, etc., there is one unified theme that stands out to me: making your body uncomfortable.

Think about that. The thing that running, lifting weights, ice baths, saunas, and fasting all have in common is that they produce health and happiness by convincing the body that life is still difficult, i.e., that life is still happening.

So my recommendation to you is to think about struggle as an umbrella concept for health and happiness: In short, make sure you are challening your body in some way on a regular basis.


APHORISMS“Find out who you are and do it on purpose.”

Dolly Parton

This is UL Member Content

Subscribe

Already a member? Login

This Is UL Member Content

Subscribe

Already a paying member? Login

This Content Is For Paying Members

Subscribe

Already a paying member? Login

I think the public and the media are conflating two things here:

Should it be legal to walk around in public (especially during civil unrest) with an AR-15?, and Was Rittenhouse defending himself when he killed those people?

It was clear to me from watching the video of the shootings that it was self-defense.

Other guys backed off when he pointed the weapon at them from his back, and he didn’t fire. He only fired at the ones that looked like they were going to attack him.

But would any of this have happened if he didn’t come to the site of a protest, from out of state, with an assault rifle? Probably not. But again, because it’s actually legal to do that right now, we have to remove that component from the conversation.

That’s why I think he was legally defending himself at that moment. And the jury agreed. 

A lot of people are dissing the metaverse and NFTs and crypto as total garbage, and I think I see the main point they’re missing.

Reality is falling out of favor for hundreds of millions of people. Perhaps billions.

As the top 10% in the world take larger and larger shares of everything, from wealth, to income, to mates, to fame—more and more of the bottom 90% will simply opt for a different reality where they are able to compete.

Now, surely, some of meatspace’s advantages will follow into the metaverse (the real one, after the dust settles), but this won’t happen all the time because many who are winning in meatspace will be content to stay in that domain. Plus, there will be mechanisms to keep meatspacers out of the “real” world of the metaverse. Like a giant pay-to-play badge overlayed on their special items and such.

I just don’t think enough people—whether normies or journalists—are getting how annoyed people are getting with reality. Speaking just for the US, and just for the bottom 75% of the socio-economic field, life is fucking hard.

Jobs don’t pay enough. The work sucks. You don’t have any control over your life. You can’t afford a nice place unless you live somewhere without good restaurants. And even then you’re barely surviving because there are no jobs there.

They’re looking for an escape hatch from this thing called reality. THAT is what makes the metaverse a multi-trillion-dollar thing. THAT is the reason NFTs will dominate. THAT is the reason crypto and blockchain will succeed (in some form).

It’s not about the technologies themselves. It’s the fact that they are the avatars of reality rejection. They’re the tools that regular people will use to build a better one.

NotesThere’s basically one internet. And there’s one online world in *Ready Player One*. When we talk about *the* metaverse, we’re talking about one thing as well. Right now, however, we have the beginning of the battle for which will win out. And it’s so early the eventual winner might not even be on the board yet. Meta (Facebook) is an obvious good bet, but there’s no guarantee there at all.Image from https://www.uctoday.com/collaboration....

[image error]

SECURITY NEWS

An official FBI email server was hacked and used to send a fake threat email. The email had multiple spelling mistakes and was obviously fake upon significant inspection, but the problem is that the email passed SPF and DKIM checks, meaning it was sent from actual and actual FBI server. The FBI later confirmed the issue and said they were looking into it. More

A new piece of open source malware written in Go called BotenaGo can exploit more than 30 different vulnerablities in routers and IoT devices. Once installed, it works by listening for targets either locally or on port 19412. More

China has built mockups of a US Navy aircraft carrier and other warships to use as missile target practice in the Taklamakan Desert. More

Security vendor Randori is in trouble because they’ve had a working exploit for the PAN-OS vulnerability for months that they’ve been using for pentests. More

Blackberry has found information on an Information Access Broker (IAB) linked to three different hacker groups. Initial Access Brokers are a pretty cool part of the attacker ecosystem: they essentially manage the initial access to companies, systems, and networks all over the world. They work by getting access themselves, and then auctioning off their access to other groups on the DarkWeb. A study in August showed that the average cost for access going back a year from July was $5,400. More

North Korean attackers are using malicous Blogspot blogs to deliver malware to high-profile South Korean targets in the think-tank space. More

China is growing a massive army of hackers, and they won’t be criminals—they’ll be state-sanctioned professionals. More

Incidents:  Costco says a data skimmer has been stealing data from customers. More HPE says customer data was compromised in an Aruba data breach. MoreVulnerabilities:  CISA has relased an advisory on multiple vulnerabilities in Siemens’ Nucleus Realtime Operating System. More Samba has reseased multiple security updates. More SAP Patches Critical Vulnerability in ABAP Platform Kernel. More 14 new vulns discovered in BusyBox. More Zoom patches high risk issues in Meeting Connector and Keybase. More Palo Alto patches a CVSS 9.8 vulnerability in GlobalProtect. More Adobe has released updates for multiple products. More VMware has released an advisory on a priviledge escalation vulnerability in VCenter Server. MoreCompanies: McAfee is going private in a $14 billion private equity deal. More Jetpack has acquired WPScan. More
TECHNOLOGY NEWSSeoul is going to be the first major city in the metaverse. My first question was, “cool, which one?” And the answer is—their own. That’s the trick with all these metaverses: they only work well if you have a big clear winner that everyone flocks to, or if they’re interoperable with each other. Which of course they won’t be. So what we’ll end up with—at least at first—is a bunch of really small metaverses with a limited number of users. What people think of as a metaverse is actually Ready Player One, which of course is an instance of the first version. It’s one big company winning all the marketshare. More 

23andMe CEO says she wants to make better drugs using the insights from her company’s millions of DNA samples. More

AMC now lets you buy movie tickets with Bitcoin. More

Digital art images are not actually stored on the blockchain. If you were to store a 500KB file on the Ethereum blockchain it would cost around $20,000. What’s stored instead is a URI pointing to the image. Big difference, especially since you can change what’s at that URI. Someone has to have thought of storing the URI plus a hash of what was there at creation time. More

Rivian had an amazing IPO, rising 29% on Wednesday and then 22% on Thursday. It closed at $122 after opening at $78. I’m not watching the space closely, but I can’t help but feel like a lot of this hype comes from people feeling like they missed the Tesla boat, and they want to make sure they don’t miss this one. But there’s no guarntee whatsoever that Rivian is another Tesla. More

TikTok is getting into mobile gaming by partnering with Zynga. Um, how do I invest? More

Twitter is building a crypto team. More

Companies: Shopify’s q
HUMAN NEWSA new class of drug has reversed paralysis in mice. I normally don’t post these types of stories because 1) they’re mice, and 2) there are lots interesting studies that don’t end up being practical. This one looks pretty spectacular. They cut the spines spines of the mic, waited 24 hours, and then gave the treatment. The mice that got the treatment could walk almost as well as before the damage four weeks later. Those who did not get the treatment did not. More

Hiring is way up in North America—for robots. Factories and other industrial customers ordered 29,000 robots, which is 37% more than the same time last year. Cool, so more and more people are leaving the job market, and meanwhile we’re hiring more robots. Everything seems perfectly on schedule. More

CNN has a story of a 9-year-old girl being sold to a 55-year-old man in Afghanistan. I thought it was just a regular story, like something they heard about a verified, but they actually filmed it as the man showed up, paid the father $2,000, and took her away. I get that this type of thing is legal in Afghanistan, but I don’t see how legality makes it ok to watch a 9-year-old girl be taken away to be raped by an old man. I don’t usually post such heavy stuff, but this is both disturbing and very strange to me. Are we so invested in multi-culturalism that this can be considered ok to someone? Different cultures have different views? Is that serious a defense here? To anyone? She’s 9-years-old. Do we not have the moral authority to call this what it is? And if you do claim that authority, why not pay the $2,000 yourself and keep this from happening? I know it can be hard to be a war correspondent and not interfere, but this is way beyond that in my opinion. I don’t know how one is supposed to hold a camera and be objective about this. More

Los Angeles and San Diego are looking to stop strict grading on things like turning in assignments and taking tests, and they’re moving more to “citizenship” scoring, which factors in things like physical fitness and extra-cirricular activity. This is completely ridiculous, and then only thing it’s doing is guaranteeing that ambitious parents and students will either 1) have tutors, 2) go to supplemental schooling outside of school, or 3) will leave the public schools altogether. This type of education is basically creating a giant American underclass that will end up serving food to the first and second-generation immigrant students who still value actual education. That’s the irony: I’m sure you could ask any administrator in these schools about income inequality and they could tell you all about it, but what they can’t see is how they’re actively creating it. More

America now has 520 million open credit card accounts, which is the most ever. Household debt is at $15 trillion. More

There’s a political gap in the number of people who’ve died from COVID, and it the gap is spreading. “In October, 25 out of every 100,000 residents of heavily Trump counties died from Covid, more than three times higher than the rate in heavily Biden counties (7.8 per 100,000).” More


CONTENT, IDEAS & ANALYSISDegrees and Credentials in InfoSec — My thoughts on the neverending debate around whether you need credentials to get into InfoSec. More

Quantum Computing vs. Blockchain/Crypto — People are starting to talk more about the risk of quantum computing to blockchain and cryptocurrency. It’s been a known risk for a very long time, but now that crypto is becoming this massive force in our economy, people are taking more notice. The summary is basically this: 1) quantum computers keep getting better, 2) we’re not sure if/when they’ll get good enough to attack current public-key cryptography, but it could be 2-10 years, which is very fast, 3) if that happens, whatever economy is based on cryptography could suffer a hard crash, and 4) there are ways for blockchain and other cryptography implementations to become more resistant to quantum computing, and the US government has been working on this for a long time, but making those changes will also take time and could have other performance implications. In short, it’s something to watch.

COVID Winter — I’m not an expert in this stuff, but take this for what you will. I expect to see another COVID surge in December and January based on a few factors. 1) Resistance from vaccines is tapering off quickly, with people with 2 shots of Moderna having around a 58% effectiveness of the vaccine after 6 months. For most people, that’s October. 2) People are seriously tired of being restricted, and they’re likely to behave very pre-pandemic-like during these holidays. And 3) I worry that relatively few people are going to get boosters until the surge is already going strong, say around January to February. This thing is not over, and the points above don’t even account for additional variants. My layperson advice: Get a booster and only hang out with large groups outdoors.


NOTESMy friend Angela, who also happens to be UL’s Manager of Sponsorships and Marketing, has a remarkable daughter named Hope. She recently decided she wanted to make a play, so she rewrote an adaptation of Midsummer Night’s Dream. That would be impressive by itself, but she decided to produce and direct the play as well. That means finding sponsors, managing expenses, finding actors, holding practices, and generally managing all the logistics that go with such a thing. Oh, she also acted in it. I wasn’t able to attend, but I hear the play was well-received. She’s 15. Congrats to Hope, and to her parents for raising such a remarkable human.  

I’ve started having Athletic Greens every weekday morning along with my coffee. I’m not affiliated with them, but if you sign up using my referral code you’ll get 5 free travel packs and I’ll get $15 off my next purchase. I basically treat it as vitamins, and since I don’t eat breakfast or lunch most days it ends up being my only “food” until dinner. Sign Up With My Code

I found my favorite DJ perhaps ever. He’s on TikTok, and his name is gta_changretta. He’s disabled and restricted to the bed, and controls his set using one hand on his machine. He plays the exact type of EDM that I like, plus he speaks Spanish and plays a lot of Reggaeton, which I also like. If you’re into any of this, and have a way to enjoy TikTok safely, you should check him out. I like listening to him live and going driving. Serious hype. More

I signed up for Twitter Blue. Not sure there’ll be any benefit, looking at the current features. But I like the idea of subscriptions and I want them to be successful and keep rolling out new functionality. Currently, the main draws are the undo feature and ad-free article viewing.


DISCOVERY  

If your company is interested in sponsoring an episode of Unsupervised Learning, reach out to us here! UL Sponsorship [ Sponsored Discovery ] 

Security Incident Containment with Teleport

What would you do when a security incident is detected? Shut down the servers? Pull out the power cord? When an incident is detected, both the incident method and the time required to contain an incident are essential to limit the damage.

Teleport allows you to control the traffic going in and out of a system, giving you the ability to quickly contain lateral movements and prevent further infection propagation due to compromised access. When your infrastructure access is managed by a uniform layer—with only one way in and one way out—it becomes super easy to contain a threat.

Learn More 10 Steps Towards Happiness More

Burning Man: The Musical — In this musical comedy we follow Molly, a promising young tech grad, as she returns to the playa of Black Rock City – this time employed by the very tech company that, unbeknownst to her, seeks to destroy it. After being given the task of acquiring drugs for her boss’s exclusive party, Molly finds herself on a journey inward – and through the community of Burning Man – finds her truest self. More

An interesting argument that writer’s block is a problem with sincerity. More

A bakeoff betwen the iPhone 13 Pro and the Pixel 6 Pro cameras using 2,000 photos. More

Binary Reversing Methodologies More

Simple SSH Security — A collection of steps to lock down your SSH instances. More

Gron — Make JSON greppable. More | by TomNomNom

Fast Google Dork Scan More, by IvanGlinkin

APIs for OSINT — A collection of APIs for use in automating your OSINT workflows. More | by cipher387

Quiet Riot — An enumeration tool for validation of AWS account IDs, root emails, users, roles, and more. More | by RighteousGambit


RECOMMENDATIONS

Sam Harris had a spectacular podcast this week about sleep. It’s a 4-hour conversation that’s completely approachable at 1.5x, and it’s so dense with knowledge and insights I don’t think you’ll mind the duration. It’s funny: my entire peer group is getting more and more obsessed with sleep now, and between this podcast and podcasts like Huberman Lab, I am getting a single message: Sleep is crucial to success, happiness, and long-term health. So now I’m about to go crazy with my optimization of sleep—from diet, to caffeine, to smart home temperature setting for bedtime and wake time, etc. And when I finally publish my new personal routines in Github I’m going to have a full section on sleep annotated with where I learned which piece of the methodology. Anyway. Sleep. This is a great podcast to get you enthused. Also, a ton of us in the UL Community are big into our Oura rings, and a few of us have our new ones on the way. If you get into sleep I highly recommend you get one. Sam’s Sleep Podcast | The Oura Ring


APHORISMS“The sole cause of man`s unhappiness is that he does not know how to stay quietly in his room.”

~ Plutarch