Daniel Miessler's Blog, page 45

This post will talk about my initial thoughts on The OWASP Top 10 release for 2021.

Let me start by saying that I have respect for the people working on this project, and that as a project maintainer myself, I know how impossibly hard this is.

Right, so with that out of the way, here’s what struck me with this list, along with some comments on building lists like this in general.

The list’s biggest problem is that it doesn’t have a clear identity.

Is it a list of vulnerabilities? Is it a list of vulnerability categories? Is this for developers? Is this for security companies? Is this for security tool output labeling? Is it a tool for helping security metrics functions within companies?

It’s not clear.

Basically, when I look at this list, I don’t see a tangible list of things; what I see is an ontological mess.

The addition of Insecure Design is one of the problems. While I think everyone can agree it’s important, it’s not a thing in itself. It’s instead a set of behaviors that we use to prevent issues. Ontologically, we’ve confused a security process with the problems that process is meant to discover or prevent. As my friend Joel Parish points out, the far end of this problem is that Secure Design is meant to find everything else on the list. So, it’s basically an Inception-like “Draw The Rest of the Owl” type of situation. He’s like, “When does ‘failure to follow OWASP Top 10’ end up on the list?” Indeed.The mixing of categories and vulnerablities has always been a huge problem for me, both as a user and as an OWASP Project Leader. If you’re going to call out the worst vulns, do that. If you’re going to list a bunch of categories, do that. Or at least call out that you’re mixing the two.Then you have the situations where things can fall into multiple categories. Not turning off FTP on your home router can be Security Misconfiguration and also Insecure Defaults. The same can exist with Vulnerable and Outdated Components and Software and Data Integrity failures. Relying on an insecure component can hit both of those. Security Logging and Monitoring suffers from something similar to Insecure Design. Namely, it sits in this weird realm between tangible and being part of a security review process. And it’s definitely part of Secure Design. So the question is, are we being told what exactly to log? Or are we just saying we should generally log? It’s the category vs. issue problem again.And then we have the lonely SSRF at number 10. The only specific issue on the list. I mean it’s a good vuln, but it stands out like a vulnerability on a category list, which it is.Analysis

I think ultimately this comes down to the first point: the list has an identity problem.

It started as a list of vulnerablities that just had a hard cutt-off at 10. So its purpose wasn’t to fix all of WebAppSec in 10 bullets. That mentality is what’s gotten us to the point of adding “Lack of Secure Design”.

Think of it in terms of two wildly different questions:

If you could only fix 10 specific vulnerabilities, which 10 would you fix first?

vs…

What are the first 10 categories or activities a security program should explore in to improve their security?

Those are very different things.

These lists started as the former, and then over the years have migrated to the latter. We’re currently stuck in an uncanny valley between the two.

I’m not even convinced the list shouldn’t be categories. I’d love to hear the arguments. It could be that specific vulns are too narrow and not useful enough unless you do a Top 100 list or something. But what I do know is that confusion is not a good thing, and that’s what we’re grappling with at this point.

Recommendations to the teamSolve the identity problem, and be very clear in its communication.Don’t start with the data and look for categories and vulns. Instead, start with the purpose of the project and the output you want it to produce for a defined audience, and then look at the data, and then the list.In doing the first two, be willing to completely reconsider the list. It might be that it’s time for a bigger adjustment than ever for 2022. Like moving to pure categories, or pure issues. A reframing.Summary

The list still provides value. It does. And I appreciate everyone’s work on the project. I just think it would be far more useful with more clarity around its identity and intended use.

I am sure there are a million reasons this isn’t true in the absolute, but I have had the thought multiple times recently that Amazon is pure Capitalism. Or pure market.

Essentially, they’re the cleanest example of harnessing multiple capitalist and market-based techniques and building a company around them.

Two Pizza teams is a good example. The idea is to keep a team size down to the size that can be fed by two pizzas in a room. The other thing they do is encourage you to try lots and lots of stuff, and they don’t care that much if it doesn’t work. They’re also huge on metrics to see what does and does not work.

It just seems like a big portion of why they’re so successful is because they’ve personified many pure business concepts into an actual company. So while other companies are companies first and they use some business concepts, Amazon is more like a company-shaped instantiation of the concepts themselves.

Again, I’m not saying this is technically true. I’m saying it might be interesting and/or useful to think of it that way.

There’s a thought experiment called The Ship of Theseus. It asks whether an object that’s had all its components replaced still remains the same object.

The ship wherein Theseus and the youth of Athens returned from Crete had thirty oars, and was preserved by the Athenians down even to the time of Demetrius Phalereus, for they took away the old planks as they decayed, putting in new and stronger timber in their places, insomuch that this ship became a standing example among the philosophers, for the logical question of things that grow; one side holding that the ship remained the same, and the other contending that it was not the same.

Plutarch

So, if you replace an entire ship over time, bit by bit, with replacement parts that basically look and function identically, is it the same ship? The same question can be asked for a human body, since our cells are constantly dying and being replaced.

Because I think a lot about the nature of reality, and specifically meaning, I don’t find this excercise that challenging.

To me, it comes down to the perspective of an observer to an object. If someething doesn’t change in a noticeable way based on your relationship to it, then it can be considered—by you—to be the same object. If it changes significantly—based on your perception—then it can be considered different.

One good example is the Big Dipper constellation, which is technically URSA Major. From our perspective on Earth, it looks like a ladel that you serve soup with. But that’s only because we eat soup, and because we’re in this particular location in space. And at this particular moment in time.

If we didn’t eat soup for whatever reason, ladels wouldn’t have any meaning. Or if we travelled to the other side of the galaxy, the Big Dipper wouldn’t look like a dipper of any sort. Similarly, if we just stay on Earth but wait a while, all the stars will move and it’ll no longer look anything like a ladel.

So, has the constellation changed? Is it still the Big Dipper in all those cases?

My answer is that it’s not if the person who’s assigning the label doesn’t see it as such anymore. It comes down to their perception based on their relationship to the object. If they’re forward or backward in time or space, or a few of the stars burn out, it might lose enough of its shape as to no longer be the real thing—at least to that person.

It’s the same for the New York Yankees. For some people it was a baseball team from New York when they were growing up, and it still is. It’s still the same team, even though the members of the team—and the managers—are all different. To others, they grew up watching a few key players, and once they left the team stopped being the Yankees.

It’s the same for the ship. If you’re an immortal bacteria living on a plank on the deck, you’re slowly seeing parts of the ship get replaced, until one day you see all your friends get pried up and replaced by other planks. At that level of reality, your whole universe is different. And this is most definitely not the same ship.

But if you’re a tree that lives for 5,000 years on a tropical island, and you have bad vision, then the Ship of Theseus visiting in 1901 will basically be the same ship when it returns in 1991, even if all the actual wood has been swapped with newer planks and beams.

So the answer to the question of, “Is it the same ship?” is simply this:

According to whom?

To some perspectives, it’s a new ship every few nanoseconds. And to others, it’ll be the same ship in 100 years—even if its wood is replaced with metal.

The perspective of the observer to the object is what matters, because that’s what determines whether or not a given amount of change has a significant impact on the identity of the object—relative to that observer.

If the change isn’t significant enough to the observer to call it something different, it’s the same thing. If it’s significant enough to be called something else, it’s something else.

Names aren’t reality; they’re just handles that humans use to describe things.

So the riddle isn’t about the ship at all. It’s about the name of the ship—which is a human thing, not a ship thing.

[image error]

SECURITY NEWS

CISA has added single-factor authentication to its list of bad practices. More

The FBI says China is going after Uyghurs based in the US using both in-person and digital techniques. More

Ok, so you know how a lot of restaurants are shut down or empty because there are no workers? Now imagine that for truck drivers. The ones that deliver everything to everyone. More

Mike Orlando, the acting director of the National Counterintelligence and Security Center, says China has been inflicting $200 to $600 billion in intellectual property theft against the US for the last 20 years. More

ProtonMail shared an activist’s IP address with authorities, even though it says it doesn’t log anything. Case in point: don’t use third parties for services with an expectation of privacy. Companies like Apple are really careful, but even they have to respond to subpoenas. Protonmail, VPN services, whatever. If it’s that important to you, and you can host it yourself, do that instead. You have no earthly idea what’s happening inside of a VPN or email provider that claims they don’t log. Don’t beleve it. More

Rapid7 found a way to remotely disable the Fortress S03 home security system. Evidently all that’s needed is the owner’s email address, which can yield their IMEI, which can be used to disable the system. More

A former credit union employee in New York logged into the company’s systems two days after being fired and deleted 21GB of data. She’s now facing 10 years in prison, but my question is how she had that access days after being fired. More

Kaspersky says it’s seen IoT attacks double in 6 months. More

Organized criminal gangs are stealing tens of millions of dollars worth of merchandise from stores like CVS, Target, Ulta Beauty, and others—and then selling the stuff on Amazon. They give the example of someone walking into a CVS in the Tenderloin in SF and stuffing things into a trash bag and walking out. I was wondering what they were doing with the stuff. The article says Amazon is basically the world’s biggest pawnshop. More

China has banned effeminate men from appearing on TV. They have also limited the time under-18-year-olds can play video games to 3 hours a week. Ask me why this is the security section. More

The Navy has a new weapon that stops you from talking. It basically records you as you speak, and then plays it back at you really loud just as you’re speaking. It’s evidently so disorienting that it stops you from speaking. Anticipated uses include crowd control. Um, yeah. More

Vulnerabilities: Cisco has a critical security update for its Cisco Enterprise NFVIS product. More An NPM package with 3 million weekly downloads has a severe vulnerability. More Netgear has patched serious bugs in over a dozen smart switches. More There’s a critical vulnerability in Atlassian Confluence that’s being actively exploited. More
TECHNOLOGY NEWSSomeone asked GPT-3 a bunch of questions about COVID and it answered better than a lot of experts. Truly impressive results. The final question: “When will the pandemic end?” Answer: 2023. More

In the movies you can often find someone ponting at an image on a monitor and saykng, “Enhance.”, at which point the super blurry image becomes clear. Google just made major movement in that direction with a new AI Photo Upscaling technology. It must be seen. More

TikTok is getting into VR through a purchase of a company called Pico. This is the most significant VR news I think I’ve ever heard. If anyone can make VR real, it’s TikTok. More

In related news, TikTok just surpassed YouTube in hours watched in both the US and the UK. More

A new Korean law says Google and Apple need to allow developers to use other payment systems. More

Altos Labs is a life “rejuvenation” startup raising money and interest from people like Jeff Bezos. They currently have over $270 million in funding and their main MO is hiring top talent from universities and offering them extraordinary salaries and a lack of research red tape. More

I just got done talking about how cool Wirecutter was, and now it’s going behind the (NYTimes) paywall. Digital Access subscribers get access though. Another reason to sign up. More

It looks like Amazon is about to launch a line of Amazon-branded TVs. More


HUMAN NEWSNortheastern University did a study that found that around 27% of healthcare workers are still unvaccinated. More

Cornell has found that rejected internal candidates are more than twice as likely to quit. More

More than 93,000 people died of drug overdoses in the US in 2020. More

A study has shown that Ruby players show signs of cognitive impairment after just one season. More

A UK study found that being fully vaccinated reduces the odds of long-COVID by half. More

The WHO is monitoring a new COVID variant called “mu”, which they’re saying has mutations that give it the potential to evade vaccinations. It’s been found in 39 countries so far. More

Approval of labor unions is at 68%, which is the highest its been since 1965. More


CONTENT, IDEAS & ANALYSISChina Ascending — Some are saying Xi is launching Cultural Revolution 2.0, which is easier to believe when he’s wearing a Mao suit in the story’s photo. He’s made a number of remarkable changes recently, including limiting kids below 18-years-old to below 3 hours of video games per week. The government is also putting out a policy that prohibits men on Chinese TV from behaving in a feminine manner. He’s essentially trying to build a nation of wholesome, loyal, and productive citizens that will be effective in future conflicts, whether economic or military. I don’t agree with how he’s doing it, but I do respect his push for unity within the country. And as a constituent of his #1 adversary, I am concerned the west is not prepared for this threat. United we could defeat anyone, but we are not united. We’re in the process of fragmenting into many small pieces, and that seems to result in only one outcome. I fear that if China does not overplay their hand and either 1) force its best people to leave, or 2) unify the world against them, they will become the dominant world power within 10 to 20 years. More

Apple’s Own Goal — A survey asked 5,000 Android users if they’d consider switching to an iPhone. A year ago the results were 33%, and the recent result was 18%. So almost half. 10% of the respondents who said they wouldn’t switch said it was because of the CSAM scanning issue. Separate from that metric, I think Apple just made a multi-billion-dollar PR mistake with this thing. Multi. Billion. They essentially counteracted, in one bad PR campaign, the years of effort they’d put into becoming known as the world’s #1 operating system for privacy. Multi. Billion. More

Geeking Out on Air Quality Measurement — I bought a tool that measures air quality, and it’s been a lot of fun. More


NOTESI was on Ben Sageghipour’s (Nahamsec’s) Live Recon show and the video is now live. It’s an hour and half of conversation about hacking, security, and life. Really enjoyable discussion about lots of topics. More

I’m about to publish a couple of new sections to the Members Area of the site due to the overwhelming number of requests for them. First, I’m going to be adding a section for “what I use”, which is kind of like an EDC writeup, except for all major product categories. Second, I’m also going to be publishing a recommended books list, including multiple categories. Get Access


DISCOVERY  The HN September Hiring Thread More

SecuriBee’s Twitter Lists More

It’s not a labor shortage; it’s a wage and workers’ rights shortage. More

An SSH Lateral Movement Cheat Sheet More

Automating Authorization Testing Using AuthMatrix (Part 1) More

A Defender’s Guide to Cobalt Strike More

Why it’s so hard to make computer chips. More

Chekov’s Gun — The principle that if you tell someone in fiction about a detail, that detail must become important later on. More

An nftables-based, Multi-route Firewall More

OSINT Workflows by @cybersecstu 


RECOMMENDATIONS

Sam Harris recently had Balaji Srinivasan on to talk about the future. It was one of the longest podcasts he’s ever done, and I highly recommend everyone listen. It’s literally a different way of looking at the future. Even if you don’t agree with the pitch, it’s a perspective you’ll be enriched by hearing. More


APHORISMS“To see things in the seed is genius.”

~ Lao Tzu

I have a friend who’s a water snob. He convinced me to get a 6-stage Reverse Osmosis Water Filtering System from iSpring, which I love, by the way. But that’s a separate talk show.

No, I’m unfortunately not being paid for any of these recommendations. They’re just what I have.

Anyway, I’m in the Bay Area and have had too many days of an orange sun from massive air pollution. I’ve always wondered about air quality and air filters, but after buying a new house I put in an additional filter on the AC and spent a bunch on Coway Purifiers and a single Molekule Air Pro.

This was nice, and it made me feel good placebo-wise, but eing a nerd I still wondered about efficacy. Like how much do these purifiers really make a difference? I’ve had some low-level sensors for years, like from Eve. But they always seemed like more of a piece-of-mind gimmick than anything else. I tried similar consumer sensors and ended up with drastically different readings from three of the same exact model. Garbage.

Then when Googling whether purifiers really worked, I ended up on YouTube where I saw someone using a Temtop Air Quality Tester, so I ended up buying the M2000 model from them.

The Temtop M2000 Air Quality Monitor

This thing is legit.

If I put it in a room with no extra air filter for a few seconds, the air quality goes up to like 12 in PM 2.5, which is basically parts per million of particles below 2.5 micrometers in size. PM 10 is 10 micrometers, etc.

If I turn on an air filter and come back in several minutes (depending on room size), it’ll end up at like a quarter or a third of that. And if I put the sensor right near the filter, the air registers as extremely clean within a few seconds.

Farts produce the opposite. It’s quite satisfying. I can literally fart under the covers, bring the sensor under the Dutch Oven cover, and the thing will actually alarm!

It’ll turn from green to orange and start beeping at me. It’s glorious. Incidentally, this is the same thing that happens if I take it into my garage or outside. It starts beeping within seconds as the air becomes many times worse.

So the other thing this thing does is CO2 testing, which I also find super interesting. There’s basically this balance between oxygen and CO2 in the air, and humans and plants have opposite roles. Humans breathe oxygen and put out CO2. Plants consume CO2 and put out oxygen.

And I love plants.

So naturally, I want to get a whole bunch of high-surface-area houseplants and improve the air quality even more in the house. On top of the central air filter and the extra purifiers.

Supposedly, plants can remove toxins as well as lower the CO2 in the house. But I’m highly skeptical of how much difference they can actually make just due to the amounts of plant surface area vs. the amount of air in a house.

Plants have been shown conclusively to remove CO2, but those tests were done in these tiny little enclosed lab areas. I am not sure that’s going to translate to the real world.

So what I’m about to do is use this utensil to test the before and after CO2 levels in the house. I’m getting measurements now, and then I’ll get more measurements after I put like 10 plants in the house. I like plants.

The other sensor it has is for Formaldehyde, which I’m not overly concerned about.

Anyway, enthused to have a new toy that can actually measure the efficacy of using air filtration and house plants to improve the air in. your house. You can get them for like $100, and mine was like $200.

If you’re inclined to geekery, I recommend dabbling.

I just woke up with a troubling—yet perhaps freeing—thought.

What if all our Culture War™ problems we’re having right now aren’t tech problems—but rather are the result of large groups of humans communicating—which is enabled by technology.

In other words, what if technology is just a means of exposing the ugliness that exists within humans? And specifically, ugliness that exists when large groups of humans are exposed to each other.

100,000 years ago when we were all running around in small groups, we were human. But we were small-minded and tribal. We were sexist and racist. And hated and distrusted out-groups.

That was our natural state, and we have somehow convinced ourselves that this is no longer the case, despite being shown over and over that it is.

What if Facebook and Reddit are nothing but megaphones and microscopes. Rather than create ugliness, they merely show us how ugly we actually are with increasing volume and resolution?

“Ok, sure…”, you might be thinking. “So what? Does that make it ok?”

No, it doesn’t make it ok. I’m not subscribing the naturalistic fallacy that says anything that’s natural is therefore ok. Nature is full of rape and murder, and that doesn’t make those things ok. Same applies to innate human bigotry.

But what I think this can do is help us admit to ourselves what the real problem is. Which is ourselves.

Right now the narrative is that we’re perfect. We’re amazing. It’s just that goddamn technology!

“Facebook is tearing us apart!”, they say.

Well, no. What’s tearing us apart is exposing humanity to itself. More people seeing what others believe. More people seeing who others love. More people seeing how others behave. More people seeing who others are.

That exposure brings out innate ugliness and innate negativity. Until 2010 or so that ugliness was quite isolated, like back in our hunter-gatherer groups. It was there, but it was small, private, and isolated.

What technology has done is expose that ugly truth to the world. And now we’re on fire.

We see the same thing with machine learning. You teach it to learn about human culture by showing it a corpus of our behavior and it comes back as a raunchy, sexist, racist.

“Machine learning is raunchy, sexist, and racist.” Nope. It’s just a mirror. That’s us that we’re seeing, reflected back.

Right, so this is horribly depressing. So what’s the plan?

I believe the truth is almost always the best way forward, and I think this is an example of where we need truth more than ever.

It’s right to ask ourselves what harm technologies like Facebook and machine learning can be doing to our society. They are absolutely helping to bring about harm.

But we need to differentiate between two separate things:

The ugliness that’s being exposed in ourselves, vs. The idea that the tools themselves are dangerous

In other words, the dialog should change from:

INCORRECT: Humans are fluffy and nice, and tools like Facebook and ML find tiny pockets of negativity and magnify them to make it look like we’re bad. Therefore, those technologies are bad.

to…

CORRECT: Humans are primitive and ugly, with a streak of goodness within us that we are working to extract and magnify as we grow as a species. Therefore, we must be cautious about deploying technologies that highlight and magnify our ugliness at scale, and work to use that same tech to modulate the negative and magnify the positive.

The effects are often the same, but one is coming from delusional scapegoating of tools—which is a form of denial that’s unhealthy—and the other is coming from an honest acceptance of our own flaws.

So, yes, we absolutely need to make sure the tools aren’t being used to magnify ugliness, and in turn to create more than naturally exists. But we shouldn’t be under the delusion that it’s the tools themselves that are creating the negativity. That’s a cop-out, and it’s wishful thinking that will get us nowhere.

The tech isn’t making us bad; it’s showing us that we are bad, which is making us worse.

The distinction matters.

This Content Is For Paying Members

Subscribe

Already a paying member? Login

This will be a stream of consciousness post. Feel free to skip if you’re not up for some experimentation.

In the US.

There are many differences in how China is running their country vs. how we’re running ours. And I constantly flip-flop on which of those variables I’m thinking about, based on the books or articles I’ve recently read.

So I want to capture them and see if they can be simplified in any useful/non-destructive way.

—

The US is pushing individualism. China is pushing Nationalism.The US is fragmenting. China seems to be uniting as its approach appears better at maintaining cohesion.China’s economy is growing massively. The U.S. is doing ok.China is massively restricting free speech. The US is tearing itself apart with free speech.The US is giving every cultural faction a megaphone. China is using government policy to cultivate the type of culture it thinks is best for China.China is investing massively in future-leaning education like AI. The US is removing the SAT as university enrollment criteria because it was advancing too many Asians.The US believes freedom will ultimately win out. China believes you can’t win anything if you’re divided internally.China would rather have less freedom but be the most powerful country in the world. The US is too fragmented to even think about the question.The US controls the world by offering sweet economic deals and subtle manipulation. China will exert influence through direct leverage.Chinese politics is communist cronyism backed by hyper-nationalism. American politics is Banana Republic lobbyism backed by short-term thinking and personal greed.The US is telling itself that it’s evil and illegitimate. China is telling itself that it is the best country in the world, and that it is ascending to take its rightful place on top.

This isn’t the whole list, and they’re not perfect. And the ones that are decent are gross oversimplifications.

But even knowing that, I really struggle to see how the US wins this battle against China. I really do.

Long-term—like on the scale of a hundred years—I think freedom wins. It’s just really hard to restrict people’s individuality and desire for choice over long periods.

But.

Unfortunately, that doesn’t mean the US will have anything to do with any hypothetical future rise of freedom. That could be the rise of freedom within China, in 2073, after the US and Russia have fallen, and they’ve been the single world power for a couple of decades.

Or it could be in some new power that rises above all three.

Either way, I’m having a lot of trouble seeing how the US pulls this out. We’re spinning at full speed right now, and shit is starting to fly off.

Our politicians get elected by lobbyists and corporations, and as soon as they get into office they start working on their next campaign. Re-election is their priority.

We can’t build bridges. We can’t build trains. We can’t build shit. Because building requires cooperation, and everyone thinks they’re a snowflake that requires special accommodations. We’re a writhing mass of rats fighting over fragments of moldy cheese.

Meanwhile, China is locking down their gaming. Their media. Their education system. They’re taking measures to ensure that people grow up to be decent, productive members of society. Educated, wholesome, and loyal to the country most of all.

Are they doing that in a moral way? Um, no. Is a lot of it reprehensible? Yes.

But at least they’re fucking trying. At least it’s the topic of a meeting somewhere.

In the US we just had a massive group of politicians who hate a previous politician basically give him a pass on attacking the foundation of the country, all because they’re worried about their own re-election. They literally sold out the integrity of the country for their own preservation. And in doing so they virtually guaranteed the return of the man who will come back and do it again.

China has massive problems, but they would not tolerate a politician who puts their own personal agenda above that of the country. Or a party who lets them do so out of self-interest.

We’re fucking lost.

Our last president literally lead an attack on Democracy, in broad daylight. Our current president just ignored all his advisors and executed the worst political and military blunder since Vietnam. Probably in large part due to cognitive decline.

And those two people are the best candidates we have.

How in the name of Christ did these two win an election? Like for anything?

—

Right, well, I wasn’t sure where this was going. And now you see where it went. More like stream of piss.

I’m going to leave it, though. It’s raw and honest, if nothing else.

[image error]

SECURITY NEWS

China is now requiring an annual security review for all entities that deal with critical information infrastructure. Such organizations now require a security team and are required to report breaches. More

A researcher found a database of FBI terror suspects on a misconfigured Elasticesarch server. It included names, genders, DOBs, and passport numbers for 1.9 million suspects. More

A US Customs and Border Patrol helicopter had a crazy encounter with a drone in February that they still can’t explain. It outran them and outmaneuvered them before disappearing into some clouds. At least they called it a drone and not a UFO.  More

Attackers are now emailing employees and offering to pay them a percentage of the ransom if they launch malware from the inside. More

Tetris is a web hacking framework most likely developed by a Chinese government hacking team. It targets 57 Chinese websites plus the New York Times, and was designed to target Chinese dissidents. More

T-Mobile had a breach that exposed at least 40 million peoples’ data, and now that number looks to be closer to 60 million. I got a call from the New York Times regarding the story and got quoted in their piece. More

Mastercard is phasing out magnetic strips on their cards starting in 2024, and moving completely to chips. They say the transition will take until 2033. More

Vulnerabilities: Mandiant found a vulnerability in ThroughTek (Kalay) systems that affects millions of IoT devices. The impact could include accessing live audio and video streams or taking control of devices. More Fortinet delayed patching a zero-day affecting their WAF until the end of August. More Microsoft Power Apps service leaves data exposed. More The Top 15 Linux vulnerabilities used by attackers. MoreCompanies: Paladin has launched Knighthawk, a first responder drone for cities. More
TECHNOLOGY NEWSThe National Highway Traffic Safety Administration is opening an investigation into Tesla’s autonomous driving claims based on 11 crashes since 2018. 11 seems low, but I’m happy someone is paying attention to the riskiness of so-called autonomous driving in Teslas. I’m a happy owner myself, but I don’t trust self-driving outside of the lowest risk situations. More

The second-largest mortgage lender (UWM) will accept Bitcoin later this year, which just hit $50,000 again. They said they’ll support other cryptocurrencies soon after. More

Facebook is leaning hard into VR. They missed mobile because they don’t have a phone, so they are trying to be first into the next big thing. They believe that thing is VR glasses or some sort of sight-based system, and they’re trying to make this catch on through something practical, namely—meetings. They’ve launched Horizon Workrooms, which is basically Zoom except you’re in VR so everyone looks like an avatar of themselves. More

A company called Mudita made a phone that only makes calls and sends texts. It’s part of the minimalist phone revolution. More

Palantir bought a bunch of gold to hedge against a Black Swan event. More

Companies: Role has raised $2.75 million to create a video collaboration platform for remote role-playing. More 
HUMAN NEWSThe Pfizer-BioNTech vaccine now has full FDA approval, which means mandates are probably about to increase significantly. More

People now spend more at Amazon than Walmart, and now Amazon is planning to open large retail locations. I imagine they’ll take over the old end-cap store spots like Sears and JCPenny. They truly are the Borg, but in a good way. Mostly. What’s next? Probably healthcare. I’m guessing Walgreens or CVS. More More

65% of US workers are looking for a new job, and 9 out of 10 company executives say they’re seeing higher turnover. More


CONTENT, IDEAS & ANALYSISThe EM Wave of Crisis and Appreciation — My essay on our repeating human oscillation between hardship, conflict, and appreciation. More

OnlyBans — OnlyFans, which is basically a sexual version of Twitch, is banning sexual content starting in October. How did they Tumblr themselves into such a situation? Because they take payments via Mastercard, and the payment processors are getting heavy-handed any place where child safety (or any other sensitive topic) is concerned. One theory, though, is that this whole child safety thing is an overblown PR campaign to push religious anti-sex politics. I’m reserving judgment until more data comes in, but this line of argument is interesting. More


NOTESI’m currently reading Four Thousand Weeks, but I’m becoming skeptical. It’s a book on time management, but he’s spent three chapters saying the same thing already, and I’m starting to think he doesn’t have a system at all. More discussion in the UL Bookclub Slack channel. More Discuss

I got the leak fixed in my Reverse Osmosis water system. Simple replacement of a filter o-ring and avoided overtightening it this time. Absolutely love the water out of this thing, and thank you so much to the UL community for the great recommendation. More

DISCOVERY   Walking and Creativity More

Killer feature of the new Apple TV: You can hit the Siri button during a scene and ask, “What did they say?”, and it’ll rewind the scene a bit and turn on captions temporarily so that you can hear/see what you missed. More

Thought-terminating Cliché More

“Grow your best employees or lose them”, a thressay by my buddy Travis McPeak. More

“Don’t be trapped in the 20th century.” More

The Tao of Unicode Sparklines More

jc — Turn multiple UNIX commands’ outputs into JSON that can be parsed with jq. More

Malicious PDF Generator — Generate different malicious PDFs with phone-home functionality. More


RECOMMENDATIONS

If you drink a lot of water and your tap water isn’t REALLY good, you should consider a dedicated water treatment system. This one I just installed not only cleans the water with 6 different filters, but also does automatic remineralization via Alkaline supplementation. Best water I’ve ever tasted. More


APHORISMS“Freedom is nothing but a chance to be better.”

~ Albert Camus

This Content Is For Paying Members

Subscribe

Already a paying member? Login