Daniel Miessler's Blog, page 47

 MEMBER EDITION  | Episode 292 | Monday: August 2, 2021

SECURITY NEWS

NSA has released new guidance on how to securely use wireless devices in public places. I have to say it feels pretty remarkable to see the government—any government—putting out good content like this. More

The FBI has revealed the top targeted vulnerabilities of the last two years. The top ones were Citrix, Pulse, Fortinet, F5, and MobileIron. More

After 10 years, Google's Vulnerability Rewards Program has rewarded 2,022 researchers with around $29 million in payouts. They're now launching a new platform at bughunters.google.com. The new program comes closer to unifying bug submission across all of their products, better interaction mechanisms, an improved leaderboard, swag, and other improvements. More

The creators of PunkSpider are facing scrutiny because they plan to release a new version of their tool at DEFCON next weekend. The tool basically scans the internet's websites and finds and publishes web vulnerabilities for everyone to see, including allowing people to search the results. The argument against this is that it'll give attackers a chance to hit targets before victims have a chance to fix the issues. The argument for this is that they could do that already by running their own tools, and that the best way to apply pressure to fix things is to make them public. Disinfectant through illumination, basically. There will be lots of gnashing of teeth on the Twitters I'm sure. More

BlackMatter is a new ransomware gang that claims to be made up of the remnants of DarkSide and REvil. Their MO is to find people who already have access and offer them $100,000 for that access, assuming they have a substantial foothold and the target is in the US, UK, Canada, or Australia. More

Over 100 warship locations have been spoofed in the last year, and there's speculation that it could be part of a campaign to create a conflict based on mistaken identity. More

Vulnerabilities:

A number of malicious typosquatted python libraries have been found on PyPi. More

Incidents:

UCSD Health says they lost personal information in a data breach involving employee email accounts. More

Companies:

Cyber Asset Management Platform Neotic launches with $20 million in funding. They use APIs and Graph databases to track assets both in the cloud and on-prem. More

At-Bay raises $185 million to do cyber insurance. More

ActiveFence comes out of stealth with $100 million in funding to detect online harm such as abuse, disinformation, and fraud. More

TECHNOLOGY NEWS

Facebook's next big product is going to be Ray-Ban Smart Glasses. Honestly really excited to see what they release, even if all they do is add competition to the AR space. AR can't get here fast enough for me, and I love that Facebook, Magic Leap?, Snap, and others are all playing in this space. More

The Wall Street Journal did an in-depth analysis of TikTok's algorithm and how it's so good at figuring out what you like. The short version is that on e metric matters more than all the others: Linger Time. "Every second you hesitate or rewatch, the app is tracking you. Through this one powerful signal, TikTok learns your most hidden interests and emotions, and drives you deep into rabbit holes of content that are hard to escape." More More

Shopify is allowing merchants to sell NFTs through their storefronts. More

Apple's Chip supplier, TSMC, is preparing its 2nm product for 2024. More

Cloudflare says AWS is charging way too much for egress traffic. More

Tesla passes $1 billion in quarterly profit after shipping more cars than ever. More

Apple's profits nearly doubled last quarter, and iPhone sales jumped 50%. More

Companies:

Square is buying Afterpay, which is a "buy now, pay later" service out of Australia for $29 billion in stock. More

Twitter is closing its SF and NY offices just a couple weeks after re-opening them. More

HUMAN NEWS

Just 6 companies—GE, NewsCorp, Disney, Viacom, Time Warner, and CBS—control 90% of US media. In 2011 it was 50 companies. More

Business Insider says Amazon employs 1 out of every 153 American workers. That's a Neuromancer Metric if I've ever seen one. More

Companies:

Hello Divorce raises $2 million to make it easier to get a divorce. More

CONTENT, IDEAS & ANALYSIS

Everything is K-Shaped Right Now — Much of our society is splitting into upwards and downwards strokes, across multiple dimensions. More

Simone Biles Pulling Out — I've seen a lot of ideas about this in various places and wanted to comment real quick. Essentially, I'm torn. On the one hand I say, "No Excuses!", because when you represent a country you basically have a job, and it's a job that's a lot more like the military than most jobs. One can view sport as a proxy for war, and it's generally unacceptable to just walk away in either sport or combat when you don't feel like continuing. That's one side. The other side says 2021 gets a full pass. 2020 wasn't normal. 2021 isn't normal either. And this Olympics probably shouldn't have happened in the first place. Everyone is still massively stressed due to a century-level event, which, by the way, we still haven't seen the end of. So, I think you can give anyone a pass right now. And if anyone deserves a pass, it's her. Hasn't she done more than enough for the US already? I think so. The way we know this was an extraordinary circumstance is that it happened at all. She's not a quitter. Quitters don't have that many gold medals.

Where Am I On PunkSpider? — Where am I on tools like PunkSpider? I'm not sure, actually, but I do know what we're doing now doesn't seem to be working, so I'm somewhat sympathetic to the illumination argument. I'm open to being persuaded by data, and the implementation also matters. How they run the project will shape how I perceive it being either net-positive or net-negative. More

Women in the Draft — The Senate Armed Services Committee passed a provision to require women to register for the draft. Here's what I suggest you do before forming an opinion on this topic. Go watch the opening scene for Saving Private Ryan and ask yourself if you'd be ok with that being a boat full of 18-20 year-old women. I am 1000% percent for 100% equality, but no—I am not ok with that being a boat full of women. More


NOTES

I'm back on my Neumann u87ai mic and my RODECASTER PRO podcasting rig, with Hindenberg as the DAW. I think the dedicated podcasting hardware (and software) might be better than the Universal Audio + LUNA setup I was using, just because it's designed to do only that (see Dedicated). I'm also using no plugins other than DeReverb for room echo. If you're interested or skilled at audio, let me know what you think of this week's sound. What I'm shooting for is a very natural feel, with just enough bass to be substantive but not so much as to sound boomy or be hard to hear with background noise.

I'm getting ready to do my last subscription pricing adjustment for quite a while. I'm moving to what a lot of the people I pay for are doing, which is $100 a year, or $20 a month. I like the evenness of it, and how much it incentivizes the annual plan. For those who are already annual, the price increase per month will be $3.33. So, going from $5 dollars a month to $8.33 a month. I'm hoping that what we're doing here is worth many times that, and I am not going to change this again before at least mid-decade.

I'm currently reading This is How You Lose the Time War, which won the Hugo and Nebula awards. I have heard it come up in like 5 conversations with friends recently, so I added it as an interrupt. This is on top of re-reading DUNE for book club this week. David selected the book because the new movie comes out in September. Can't wait. Both for the book club and for the movie. More

I'm also all-in on the new Ghostbusters movie. More

I had to cancel my plans for BH/DC in Vegas due to COVID. And it looks like this fall could be as bad for hospitals as last fall, or worse. Which for me also means no EDC in October most likely. Oh well, at least I'll be in a bigger place for this next lockdown. I'll take whatever positive is on offer.


DISCOVERY  

PimEyes — A creepily-good reverse image search. I uploaded a random image of myself I just took with my phone, and it found pretty much every image of me online that exists. Even ones that look nothing like the picture I uploaded. Use with caution. More

Datasette — Take data of any shape or size and publish that as an interactive, explorable website and accompanying API. More

Crossfeed — A CISA released tool for continuously monitoring an organization's public-facing attack surface. More More

speed.cloudflare.com — I have been using the Speedtest thick client, combined with a CDN file download, to test my bandwidth for years now. I think Cloudflare's offering might have finally replaced it. More

Disinformation For Hire, A Shadow Industry, Is Quietly Booming More

Autonomic Security — Google's answer to SOCs being overwhelmed by expanding attack surface. More

"I went to the office for the first time. I fucking hated it." More

Using SSM to run Ansible on AWS hosts without requiring an external SSH listener. More

Covid Stockholm Syndrome More


RECOMMENDATIONS

If you've not read Jonathan Haidt, I strongly suggest you get into him. Start with The Righteous Mind, then The Happiness Hypothesis, and then if you're into youth/culture, The Coddling of the American Mind. I think he's one of the clearest thinkers on the maladies affecting the US right now.


APHORISMS

“The rider evolved to serve the elephant.”

~ Jonathan Haidt

Powered by beehiiv

This Content Is For Paying Members

Subscribe

Already a paying member? Login

Starting last fall you’ve probably heard people talking about a “k-shaped recovery”.

Investopedia says it’s when two parts of the economy recover at different rates after a recession, but I most often hear it in the context of the haves and have-nots.

I think much of our world has become k-shaped, and I think the separation of the top and bottom is accelerating. Here are some examples that jump to mind.

Income and wealth distributionEducationJob opportunitiesBelief in vaccinesBelief in AmericaBelief in scienceBelief in LiberalismBelief in Capitalism over Communism

The unique problem we have is that when the bottom part gets low enough, or far enough away from the top, the whole enterprise is at risk. And by “enterprise”, I mean the country, or society. This k-shaped concept is true for economic recoveries, and it’s true for Democracy.

You know what else was K-shaped? France, before the revolution. K-shaped is a typographical proxy for wrought with peril, and we are wrought.

It’s not so much what people believe, or how well-off people are. It’s the delta between groups matters more, at least for cohesion. And where we’re heading right now is unsustainable.

We’re likely heading for a new COVID crisis this fall, with some saying it’ll be as bad or worse than last time. But if the vaccines hold, it’ll mostly be a certain type of people dying.

That could spawn yet another economic blip due to lockdowns, but that will mostly be a certain type of people suffering.

And one group will blame the stupid people who didn’t get vaccinated, while the other will quietly die of what can only be a really aggressive flu.

Meanwhile the stock market booms, and some people are living their best lives.

Everything is K-shaped right now.

[image error]

SECURITY NEWSCISA has released a set of TTPs for Chinese state-sponsored cyber operations. More

The US says China breached 13 pipeline operators between 2011 and 2013. According to FBI and CISA, the attackers were state-sponsored and made no attempt to modify pipeline operations in the targets. More

A top US Catholic Church official was outed after someone tracked his cellphone data to Grinder and gay bars. More

CIA’s director says he’s doubling efforts to figure out what’s causing Havana Syndrome, which has affected more than 200 US officials and family members globally. More

Clearview AI, the company that got in so much trouble for selling access to a database of people’s faces and profiles, just raised $30 million in investment. More

There’s a new NTML Relay attack on Windows called PetitPotam. It works by forcing hosts to authenticate to an arbitrary machine via MS-EFSRPC. More

Kaseya has the universal decryptor for the REvil ransomware it was infected with. More

Antivaxx communities are adjusting their tactics to include speaking in code to avoid detection and banning. This example talks about “Dancing Folks” and “Non-Dancing” doctors. More

People are becoming concerned that getting benefits is increasingly requiring that you agree to the use of facial recognition technology. 25 states are working with a vendor called ID.me, which uses the tech to verify identities for unemployment applications. More

Vulnerabilities: Cisco has released security updates for Intersight Virtual Appliance. More Adobe patches 21 vulnerabilities across 7 products. More Apple has released security updates for MacOS and iOS. More Fortinet has patched an issue that lets attackers run as root. MoreCompanies: Cyber Risk management company Firm Safe Security raised $33 million. More Bug Bounty and VDP platform YesWeHack rased $18.8 million. More DNSFilter raises $30 million. More
TECHNOLOGY NEWSCompanies are working on tech to pull carbon out of the atmosphere, called Direct Air Capture, and there’s significant interest from investors. More

DeepMind created a system called AlphaFold that it says has predicted the structure of every protein in the human body, as well as for many yeasts, flies, mice, and other organisms. The protein structures can be used to help understand and fight disease, and they’re releasing them all to the public. More

Netflix is gambling on gaming over buying music studios. More

Facebook is looking to become a Metaverse company. What does that mean? Basically, the convergence of physical, augmented, and virtual reality, along with an economy, and the ability to move seamlessly between them. I think this is smart, and Facebook is likely to do well as a first-mover in the space. More More

A survey by Unit4 says 83% of finance professionals plan to upskill on AI and related tech within 2 years. More


HUMAN NEWS41 percent of people across 11 countries say their next car will be electric. More

China has effectively banned tutoring services in the country, essentially stating that education should be a matter of welfare not profit. More

A lot of experts are saying we’re likely to see large numbers of vaccine mandates once the FDA grants full approval to the main vaccines. Yes, you heard that right. The current offerings aren’t yet FDA approved. Once they are, many employers and businesses are likely to require people to be vaccinated. Pretty hard to do that when the FDA hasn’t signed off yet. More

India is considering a two-child policy to keep its population growth in check. More

PG&E will bury 10,000 miles of power lines. Many believe power lines could have been the cause of the massive fire in southern Oregon. More


CONTENT, IDEAS & ANALYSISAssociate With Grinders — Why I enjoy biographies so much, and how I plan to adjust how I spend my time. More

How to Improve Vaccination Rates Using a Conspiracy — A conspiracy to use a conspiracy to improve vaccination rates. More

Dead Drops and Security Through Obscurity — A quick piece looking at the security of Dead Drops. More

The Presenting Vendor Paradox — Why so many conference talks come from company representatives. More More

InfoSec is Kids Falling Down Stairs — My analogy for security is kids falling down stairs. It’s easy to push them (Pentesting), and it’s easy to sit at the bottom and catch them (Defense). But after a while neither makes you feel that heroic. You just come to be sad that it keeps happening. More

Vaccination Math— Obvious to most readers, but helpful to pass on: a rising rate of infections in vaccinated people is normal in a population that is rapidly vaccinating. If a population is 100% vaccinated, and some tiny fraction of vaccinated people can still get sick, then 100% of people getting sick will be vaccinated. The trick isn’t to ask how many people who test positive were vaccinated, but rather, “What percentage of non-vaccinated vs. vaccinated people become hospitalized or died when they tested positive?” For example, 100% of COVID deaths in June in Maryland were unvaccinated. And cases and hospitalizations were 95% and 93% respectively. In Louisianna, 97% of cases and deaths since June were unvaccinated as well. It’s pretty much high-90’s percentages for cases, hospitalizations, and deaths everywhere in the US. Those are the numbers people should be looking at. More


NOTESThe UL Book Club today (Sunday) was outstanding. We talked for a full 90 minutes about the topics of China’s rise, the legitimacy of the book’s claims, and what can and should be done about China’s new approach. Fascinating discussion. We also picked the next book, which is Dune! David thought it was a good idea given the upcoming movie in September. More

Someone plagiarized a bunch of my and other peoples’ work, and I asked Twitter for help finding him and asking him to stop. The article came down in minutes, and I believe I framed it correctly in my messaging. In short, public callout, but a call for letting him learn his lesson and be forgiven. I still haven’t heard from the guy, though. Oh, and it looks like he’s blocked me on Twitter, along with everyone else mentioned in the thread. Maybe not so benign after all. More

Getting back into the flow of writing (5 items in CONTENT, IDEAS & ANALYSIS this week), and will be starting the new job this week. Super excited about everything right now! So many projects. So little time.

One of the new podcasts I just started listening to mentioned stretch gyms and breathing gyms. Not sure about you, but I’m not overly excited by the idea of breathing heavily in a room full of people right now. But stretching…that’s appealing to me. Right now I’m heavily focused on just getting my body working correctly. So, being really strong (weights), having a strong core (core workouts), and being flexible (stretching). I’ve never thought of full workouts just focused on stretching until I heard it on the podcast, but I’m intrigued. If you all know of any good remote options for this I’d love to partake. Bonus if they somehow integrate with Apple Fitness.


DISCOVERY   Drowning Doesn’t Look Like Drowning More

The Great Resignation More

A Full Guide to TikTok, by the Verge More

Wander the Night — A website that plays wonderful soundtracks inspired by wandering in major Asian cities. More

Dr. Who’s 13th season covers a single story. More


Reverse Engineering for Dummies More

Reconky — A Bash script that runs assetfinder, Sublist3r, amass, knockpy, httprobe, nmap, and eyewitness all in one tool. More

ReverseSSH — A standalone, statically-linked SSH binary for use in CTFs or pentesting. More


RECOMMENDATIONS Consume more biographies of great people. My friend Travis McPeak just told me about a great podcast called How to Take Over The World, which, first off, has a great name. But second, it’s a phenomenal series about the lives of great people. Tim Ferriss did something similar I think, but less cleanly. Anyway, highly recommended. More Hang out with Grinders. Make a list of your friends who are constantly working to improve their lives, their projects, their friends, and most of all themselves. Spend more time with them. Prioritize texting, voice, and video calling with them. Help them to be better, and ask them to do the same with you.

APHORISMS“You are what you can’t stop doing.”

I have an idea for how to reduce deaths from COVID.

Let’s start a conspiracy that Liberals actually don’t want Republicans to take the vaccine, because it’ll keep them safe from COVID. So they invented all the antivaxx stuff to make sure more conservatives get sick and die—so they can’t vote in 2022 and 2024.

So this is a plan to start a rumor about a hoax actually being a conspiracy.

(what an exhausting sentence)

The fake one.

So hopefully, if enough people hear about the conspiracy (to get Republicans not to take the vaccine), they’ll rebel by taking it! It’s like the opposites game.

—

Liberals: “Take the vaccine!”

Conservatives: “No!”

Liberals: “Ok, the vaccine is actually dangerous, and is worse than the disease.”

Conservatives: “You’re tricking me so I’ll get sick, you bastards! I’m going to take it!”

—

Quote from WSJ

And before you think I’m being unfair with Republicans, Kaiser did a study recently that showed that “more than 80% of Democrats have already received at least one shot, compared with 49% of Republicans. Twenty-seven percent of Republicans say that they won’t get vaccinated under any circumstances, and an additional 9% will do so only if required. The comparable figures for Democrats are 3% outright refusal and 3% only if required.”

This really is a stubbornness and trust issue, so maybe it’s time to use that as a tool.

Am I serious? No. But I’m willing to try almost anything at this point.

The reason I like reading biographies so much is because I enjoy hearing about all the crap great people had to deal with. I wish I had a better reason, but that’s pretty much it.

Nothing is more motivating than hearing how people thrived despite failed relationships, being fired, being embarrassed, being ignored, being made fun of, being told they’d never amount to anything, etc. To have someone just keep GRINDING after all of that, never giving up, is tremendously inspirational to me.

First, it makes my challenges seem small. But second, when I do face adversity and challenge, it makes me feel akin to great people. It’s like a sign that you’re on the right path. It’s not really, because you might not be on the right path, but that doesn’t matter. What matters is progress, motion, and…action.

With all the change in my life right now, one thing I’m asking myself is who my fellow grinders are. It’s remarkable how easy it is to tell if someone is one or not. If they are, they simply can’t stop doing something. Maybe it’s not the smartest thing, or the best thing, but they’re never content to just watch TV or play video games for weeks, months, or years at a time. Those are grinders, and I respect them greatly.

I’m making a list of them that I know, and I’m going to be spending more time with them. More texting. More motivational chats. More sharing of projects. More cross-pollination of energy and ideas.

If you’re a grinder, I suggest you do the same.

There’s massive confusion in the security community around Security Through Obscurity.

In general, most people know it’s bad, but they can’t say exactly why. And because of this, people tend to think the “Obscurity” in “Security Through Obscurity” equates to secrecy, meaning if you hide anything, it’s Security Through Obscurity.

This is incorrect, and Dead Drops are a great example.

Of this type.

There are two pieces to a good security system.

The security mechanismThe security key

Security Through Obscurity is in fact bad, but it’s bad becuase it hides the first one—the mechanism—not the key. Keys are always kept secret!

A Dead Drop is a proven security system for two spies exchanging information and items without being caught. It works by placing a sensitive item within a very large public place, sharing that location with the other person, and then having them go pick it up.

Let’s say it’s the KGB doing this, in New York City. And let’s say the CIA suspects it.

Security Through Obscurity is when you hide the mechanism, and then when someone figures it out, the whole system is broken. It’s captured well in Kerckhoff’s Principal, which comes from cryptography. It’s paraphrased as:

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Cool, that’s cryptosystems. What about other types of security system?

Well, in cryptography the “system” is the encryption algorithm, and the key is the…well, the key.

In a Dead Drop system, the system is the Dead Drop mechanism, which is hiding something in a very large area—such as a city or a giant park. And the key is the actual location it was hidden.

This is solid security for one simple reason: The CIA can know a Dead Drop is being used but still not be able to break the system because they don’t know the location of the drop!

Sure, it’s in New York City, or in Central Park, but those are big places.

It’s the same with camouflage. You can know that other people are using it, but if you can’t see them in battle you still have to shoot everywhere. Which would be like checking everywhere in New York City for a drop.

In other words, brute force.

Assuming you have a sufficiently large area that needs to be covered.

And that’s fine for a security system. If the attacker has to try all key combinations, even after they know how your system works, that means you have a strong system.

So, here’s how you know if something is Security Through Obscurity or not…

Separate out the mechanism from the key.If the mechanism can be known without compromising the security, you have a good system.ExamplesKEY UNDER DOORMAT: Secure: No, Reason: There is no seperate “key”; once you know the mechanism (key under mat), you have broken the whole thing.CAMOUFLAGE: Secure: Yes, Reason: They still need to find you before they can shoot you, even if they know you’re using it.SSH ON ALT PORT: Secure: Yes, Reason: It takes time and energy to try various attacks against all ports vs. just one. Note: this is much stronger against general attacks than against targeted ones where the brute force is worth the energy.TRENCHES IN WARFARE: Secure: Yes, Reason: They still make it harder to hit the enemy with bullets and artillery, even if the enemy knows you’re using trenches.DEAD DROPS: Secure: Yes, Reason: Even if you know someone is using a Dead Drop you still have to check everywhere, which is brute force, which means it’s a good system. Note: this gets less effective if the space is smaller, i.e., somewhere in a small bedroom.

There’s a paradox in information security where the community wants two things at once:

High quality research and talks, andUnbiased research and talks

I’ve personally been one of these affiliated speakers countless times.

Many conference schedules, however, are full of talks from people who work at vendors.

Conversely, people in the crowd at these conferences often have two complaints about the content.

There isn’t enough good content, orThis presenter is just talking their own book! They sell ____________ service!

I think it’s ultimately a market failure due to natural incentives. As it turns out, very few people are both inspired and capable of doing research on a particular topic.

My friend Joel P. and I were talking about a recent Lawfare podcast where Matt Tait was on talking about the need for improved forensics on Apple devices.

He’s the COO of Corellium, which does mobile forensics.

Some people would balk at that, and say he’s horribly biased and you can’t trust anything he says. But there’s another way to look at that, through the lens of incentives.

Who else has the incentive to deeply analyze this problem, other than those who have oriented a business around solving it?

Clearly not many people, otherwise podcasts and conferences would be overflowing with talk submissions from non-affiliated speakers. They’re not.

Most conferences and podcasts are full of people thinking about a problem because that’s how they make their living, which is tied to money, which they get from a company, which has an agenda.

That’s the paradox.

We often can’t get a quality discussion of a problem without the participants having some significant financial association with one or more solutions.

So what’s the answer? There isn’t one, really.

We just have to be very clear about the biases we bring due to our affiliations, and acknowledge that without those biased participants we wouldn’t have much of a conversation at all.

This Content Is For Paying Members

Subscribe

Already a paying member? Login

[image error]

SECURITY NEWSCISA has released analysis of its RVA (Risk and Vulnerablity Assessment) programs for fiscal year 2020. It looks at the top findings in the assessments its done and maps them to MITRE’s ATT&CK framework. Really cool stuff here. More Report

Biden asked Putin on Saturday to disrupt the ransomware groups operating out of Russia, and said that the US will take “any necessary action” to defend itself. That’s strong language, but I don’t think it’ll be heard unless it’s accompanied by supporting action. More

The FBI says attackers are using technical support fraud, SIM swapping, and crypto exchange credential attacks to go after peoples’ crypto wallets. More

Microsoft has released out-of-band updates for PrintNightmare. More

A new piece of malware called BIOPASS is a RAT that side-loads OBS to record victims’ screens. More

Zencity is an Israeli data analysis firm that provides anonymized and sanitized trend information on social media, especially as it relates to misinformation. They already serve 200 agencies in the US and market themselves as providing trend data without revealing sensitive PII related to specific people. More

Microsoft paid $13.6 million in bug bounties in the past year. If this was ten times higher it wouldn’t seem too high. More

The Pentagon has canceled Microsoft’s JEDI contract, and is restarting the bidding process. More

We continue to see fallout from the Accellion hacks, with Morgan Stanley announcing a breach as a result of the attacks. Same with Blackbaud, and Solarwinds, and lots of other supply chain attacks. It’ll take years before we know how broad and deep they actually went. More

Amass (OWASP) has a new feature collaboration with SecurityTrails where you can share the subdomains you’ve found for a domain with the community.You add your SecurityTrails API key to Amass and use the -share flag to publish what you found to the API. Very cool! More

Palo Alto’s Unit 42 has analyzed REvil’s tactics and found them to be depressingly basic. Phishing, credential-stuffing RDP servers, etc. Depressing, yes, but why do something more advanced when the simple stuff keeps working? More

Recorded Future has detected Chinese APT group TAG-22 going after Nepal, the Philippines, and Taiwan using Winnti and other tools. More

China’s cyberspace regulator just said any company with more than 1 million users needs to go through a security review before offering shares overseas. The goal is to prevent the foreign listings from allowing an avenue for foreign government influence into the companies, and therefore into China. More

Jack Cable of the Krebs Stamos Group has launched a new tool that tracks ransomware payments, called Ransomwhere. More Tool

Vulnerabilities: CISA has released a security advisory for Phillips Hue PAC products. More Cisco has released updates to its Web Security Appliance and Business Process Automation products. More Western Digital users need to worry about another RCE. MoreIncidents: Insurer CNA reports a data breach after its ransomware incident. MoreCompanies: NanoLock Security raised $11 million to continue protecting OT devices. More ZeroFox acquires dark web threat intelligence company, Vigilante. More
TECHNOLOGY NEWSA number of startups are using AI to create realistic voice and video for digital assistants, video game characters, corporate videos, and advertising. More Sample

Facebook is building a new city near its headquarters called Willow Park. It’ll be a self-contained city with 1,729 apartments, a hotel, and supermarkets, cafes, restaurants, parks, and a pharmacy. It’ll allow the company to employ 3,400 more employees at that location. More

Tesla has started rolling out its long-delayed Full Self Driving software update. Or at least it’s closer to fully autonomous driving. It enables numerous multiple features that get us closer, such as lane changes and turns off the highway. Turns out this whole thing was harder than Musk thought it would be. More

Visa said it’s partnering with 50 crypto companies to allow customers to use digital currencies. More

Amazon is selling COVID test kits for $39.99 in the US. More

TikTok is inviting users to send video resumes to participating companies, including Target, Chipotle, Shopify, and others. Whether we like it or not, a lot of jobs come down to charisma and likeability, especially in customer service. Plus we know legacy hiring is horrendous. So I can see this being really successful. More

Amazon has been instructing managers not to tell employees whether they’re on a performance plan unless they ask. More


HUMAN NEWS59% of Americans thought they were “thriving” in June, which is the highest percentage in over 13 years of measurement. The previous lows were at the worst parts of the 2008 financial crisis and the pandemic, both of which were at 46%. More Graphic

A Yale study has shown that psilocybin repairs brain cells in mice that have been damaged by depression. More

Cubans are protesting for freedom in some of the largest pro-change gatherings in decades. I’m sure China will be watching this closely. More

Death Valley hit 130 degrees recently, matching Earth’s highest recorded temperature in 90 years. More

New research in the journal Cell claims that neurons don’t just encode information in the rate of their firings, but also in their timing. It’s believed that this could explain how humans learn so quickly. More

The President of Haiti was assassinated in his home, and there are Americans among the suspects. More

A UC study found that there actually wasn’t a massive migration out of California. They said there was a migration out of San Francisco, but that 2/3 of those people stayed in the Bay Area and 80% stayed in California. More

CONTENT, IDEAS & ANALYSISGetting Good — A quick thought on how to get really good at something. More


NOTESI finished our book club book in like two days after we selected it, and I’ve read two others since then. Getting the reading in! I’m currently re-reading a bunch of Mark Manson stuff.

I’m looking at installing a reverse osmosis system at my main sink. If anyone knows the best brand/options/tips, please pass them along. I am not sure I’m going to do a water softener for the whole house. Seems rather drastic, and I’m worried about it affecting other plumbing. But the water filter—yeah, that’s a must. Can’t have good coffee without good water. Any tips appreciated.


DISCOVERY   [ Sponsored Discovery ] INKY — INKY uses machine learning and computer vision to identify and block zero-day phishing emails that get through legacy email systems. Using the most advanced detection techniques INKY blocks malicious phishing attacks on Microsoft O365, Exchange, and Google Workspace. I know and have worked with the team over there, and I use this service myself. It’s fantastic and if you’re in the market for email security you need to add them to your list. Get a Demo

Security Scorecards — Automated analysis and ratings of open source project secure using a scorecard system. More

It Was All a Dream — A Python-based PrintNightmare vulnerability scanner that lets you test entire subnets for the issue and get the output as a CSV. More

Hakrawler —A Go-based web crawler for gathering URLs and JavaScript paths. More

Codingo shares his recon approach using SecurityTrails, FDNS, WHoxy, and other tools More

Geneology of Nassim Taleb’s Incerto More

A FASCINATING interview about how products are less differentiated by features these days, and are increasingly standing out due to their story and messaging. Must read. More


RECOMMENDATIONSIf you have a NAS, make sure it’s not connected to the internet. If you look at all these QNAP and Western Digital RCEs, and you consider what most people have on their NAS, it’s probably not worth it to have it online. These companies tend not to be staffed with the security expertise to host your most sensitive data online. Go into your interface Make sure the system is up to date Make sure you have a strong, non-default password Take it off the internet Help your less-tech-savvy loved ones do the same
APHORISMS“You are the artist of your own life. Don’t hand the brush to anyone else.”

~ Iva Ursano