Daniel Miessler's Blog, page 96

I recommend reading this in its native typography at Unsupervised Learning: No. 137

—

Subscribe here to get this in your inbox every week.

Security News





The DHS is launching a new group to protect critical infrastructure. Link



Cisco is buying Duo Security for $2.35 billion. Link



Reddit had a security incident related to SMS 2FA, and their write-up on it is quite solid. I can actually gain trust in a company if they do an incident report well, and I think they’ve done that here. Link



It’s possible to identify individual Twitter users using only metadata. Link



BurpSuite has a new crawler, which allows for automatic session management. As a web app tester, this is fantastic news. Link



A number of sources are reporting that spam is increasing, and one often-mentioned reason is the decline of Adobe exploits. It’s an interesting lesson that economics is about changes and externalities. 



CompTIA now has a new penetration testing certification, called PenTest+. Link



Marina Butina—the Russian spy working in the U.S.—evidently blew her cover by getting drunk and bragging. This is very common for  Link 



Venezuela’s President has survived a drone strike assassination attempt. Link



North Korea is building more nuclear missiles. Link



Russia sold 84% of its U.S. debt between March and May of 2018. Russia said they just wanted to get more into gold, but given the information warfare campaigns they’ve been running against us, I can’t help but jump right to a pre-attack shorting move. No hard data to back that up—just a feeling. Link





Technology News





Draw This is an instant camera that creates cartoons using machine learning. Link



T2F is text-to-face generation using deep learning. You describe a person and it gives you an image. Link



Full genome sequencing is down to around $500 now, at least for this company. I’ll probably give it some time and see how the reviews are before I try it. But I’ll do it soon. Link



40% of VCs went to Harvard or Stanford. Link



BookTubers are YouTube influencers focused on books and reading. Link





Human News





Captain Picard is back in a new Star Trek series! Picard is the epitome of a true leader in my mind, and what I learned from that character continues to inform me even now. I bet he’s going to teach us this time (among other things) about the value of truth and facts in a world full of misinformation. Just a guess. Link



A Stanford study has linked depression to the lack of an over-the-counter supplement called Acetyl-L-Carnitine. Link



There’s a new, elegantly simple card game called The Mind that is attracting a cult-like following. Link



Even mild dehydration can impair cognitive performance and mood. Link



Bacteria are starting to adapt to the alcohol in hand sanitizer. Link



A study by Bank of the West found that almost 70% of millennials regret buying their homes. Link



Japan is urging workers to take Monday morning off to combat overwork. Link



The FDA may soon approve MDMA for treatment of PTSD. Link



France has banned smartphones from classrooms. Link



Young workers aren’t interested in construction jobs. Link



Parents are hiring Fortnite tutors for their kids. Link





Ideas, Trends, & Analysis





Many believe that blogs are less popular (and less read) now because of the shuttering of Google Reader, and the subsequent consolidation of content consumption on platforms like Twitter, Facebook, Reddit, and Medium. Link



I’m reading the Superforecasting book, and the high-level summary of what makes a top-tier predictor is someone who is dedicated to self-improvement. This makes sense to me because it’s consistent with someone who doesn’t cling to the past—including past opinions. When the information changes, your opinion changes with it. Link





Discovery





BurpSuite has a new crawler. Link



Burp’s new crawler has automated session handling. Link



Burp’s new crawler can handle changes in application state. Link



Leonardo Da Vinci’s to-do list from 1490. Link





Notes





I’ll be in Vegas this week for BlackHat / DEFCON, and you should come by the IOAsis to help us celebrate 20 years. We’re at the House of Blues on Wednesday the 8th, and we’ll have a ton of security talks, plenty of hydration and caffeine, as well as massages! And new for this year, we’ll have the EA Experience Gaming Zone, where you can play some of the newest EA games.



I’ll also be available around BH/DC to chat about my Attack Surface Monitoring service HELIOS. TL;DR: it monitors your external attack surface—both on-prem and cloud—and tells you almost instantly when something dangerous gets exposed. So if someone makes a mistake and accidentally puts a database on the internet, leaves a web admin interface out there, exposes data via S3 buckets—and dozens of other types of exposures—you’ll know immediately via API push, Splunk, Slack, etc. Reach out to me here if you want to arrange a chat.



Books I’ve read recently: Subscribed, The Accidental Universe, Venture Deals, Origin Story, The Order of Time, Factfulness. And I’m currently reading Superforecasting.



And thank you so much to those of you who sent in fiction ideas. I received almost a hundred responses on that, and they were fantastic. I now have a solid queue of fiction titles as well! The first two are going to be The Way of Kings and The Blade Itself.





Recommendations





Consider running  ssh-keygen -p -o -f $PRIVATEKEY on your SSH keys to remove a vulnerability related to SSH key storage formats. Link

 



Aphorism





“There are two kinds of fools: those who suspect nothing, and those who suspect everything”.



~ Charles Josef de Ligne

—

I spend between 5 and 20 hours on this content every week, and if you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I recommend reading this in its native typography at Unsupervised Learning: No. 136 (Member Edition)

—

This week’s topics: Air marshal surveillance, Russians hacking control systems, Google 2FA, 23andMe sharing your data, Pentagon’s DoNotBuy list, technology news, human news, discovery, notes, recommendations, and the aphorism of the week…

Every week I spend 5-20 hours finding the most interesting stories in security, technology, and humans, which I then curate into a 30 minute podcast & companion newsletter.

This is the Member Edition of Unsupervised Learning, which comes out every week as opposed to only twice a month.

You can get this week’s—and every even episode going forward—of Unsupervised Learning by becoming a member below.

Begin Membership ($5/month)

or…

Annual Membership ($50/year) (2 months free)

—

I spend between 5 and 20 hours on this content every week, and if you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I recommend reading this in its native typography at It’s Becoming Difficult to Discuss Interesting Topics With People Who Don’t Read

—

Books are a uniquely portable magic.
Stephen King

The more I read the more I find it difficult to talk to people who don’t.

I am aware of how bad that sounds, but it’s not what you’re thinking. It’s not as if I don’t like talking to people who don’t have certain views, or who don’t have a certain background. It’s not a filter for people who think like I do, or who are similar to me.

I am reading around 24-40 books a year right now—good books—that expand my understanding of reality. They show me how little I know about things. They teach me that almost everything is interesting if you know enough about it. They give perspective. They instill humility. And they show you that other people have been through all these problems before.

We read to know we’re not alone.

William Nicholson

What I’ve realized is that reading is dramatically superior to traditional education. You can’t possibly learn as much in university as you learn by being well-read. Even getting a masters or a Ph.D. only exposes you to a smattering of books compared to an avid reader. It’s not even comparable.

But so many of my college-educated friends think that they finished learning all those years ago. They think they got some sort of permanent upgrade that just keeps working five, ten, and twenty years later.

It doesn’t.

Most courseware isn’t even up-to-date when you take it. It’s often stale content from decades before that remains due to sheer laziness of the professors and administrators. You read a few textbooks, and maybe some supporting content related to it. You learn enough to pass some tests, and then you never think about it again.

When I talk to people who haven’t a good non-fiction book in ten or twenty years, it’s like I’m talking to someone who was just extracted from a glacier. They refer to what was cutting edge in high school or college, they talk about scientific theories that were proven wrong years ago, and generally tell me about the world as it used to be rather than how it is today.

It’s like I’m a CIA analyst working on a case being mentioned in the media, and I’m listening to a random person on the street clumsily speculate about what happened when they haven’t read the classified reports.

Except it’s more frustrating because the reports aren’t actually classified. They’re just books—available in the library—if they only took the time to read them.

So I’m talking to people about the brilliant things that Max Tegmark said in Life 3.0, or Yuval Harari said in Homo Deus, but they only understand every tenth word because they haven’t read anything decent since the 1990s.

I hit them with the authors’ most powerful ideas on AI and human evolution—and what it made me think and write about—and they look at me blankly and say something like:

Yeah, we’re all about to be robots and Skynet is going to take over the planet.

Great, that’s some deep analysis. I’ll let you get back to your sitcoms.

Again, this has the potential to sound very condescending, which is not a look I like from people, and definitely not from myself. The reason I’m compelled to share this with you is that it’s not me being smart when I read.

I’m not telling you how great I am. I’m telling you how great reading is.

I have nothing to do with it. It happens to everyone who reads. When you read good books you can’t help but become smarter. It’s like putting your finger in an electrical socket, and being charged with creativity and inspiration.

Being an avid reader of good books is like the world’s best ideas constantly having sex in your brain. Hundreds of the best ideas, copulating with each other, interacting, mixing, sharing, and mutating into new thoughts that you can’t help but experience.

Their thoughts mix with yours, and new thoughts arise. But it all comes from exposure to a high volume of quality ideas. I know this because when I stop reading—even for a few weeks—the studio goes dark and the colors fade from the canvas. I stop having ideas, like the end of Flowers From Algernon.

Let me state this another way. If you aren’t reading at least one good book a quarter, you are basically a sedated version of yourself. You are on low-power mode. You’re firing on one cylinder. You’re playing chess after being hit with a tranquilizer dart.

If you are trying to be creative, trying to be successful, trying to get ahead—and you are not reading at least several good books a year—you are functioning at 15% of your potential.

And it’s frustrating to talk to intelligent friends and associates who move through the world in this state when I know the solution.

You just have to read.

In my whole life, I have known no wise people (over a broad subject matter area) who didn’t read all the time – none, zero.
Charlie Munger

Happily enough, I have something to get you started. Here are a few of the books I’ve read in the past few years that I’d recommend for you to start with.

Develop into a lifelong self-learner through voracious reading; cultivate curiosity and strive to become a little wiser every day.
Charlie Munger

The War on Normal People
Homo Deus
The Red Queen: Sex and the Evolution of Human Nature
Life 3.0
The Inevitable — The 12 Technological Forces That Will Shape Our Future
Naked Economics
The Subtle Art of Not Giving a F*ck
The Dictator’s Handbook: Why Bad Behavior is Almost Always Good Politics
Spent
Sapiens

Think before you speak. Read before you think.
Fran Lebowitz

Summary


I am a voracious reader, I have creative superpowers.
It’s not me—it’s the books, and I know this because when I stop reading the superpowers go away almost instantly.
The most effective people in the world are readers as well.
It’s hard to talk to non-readers about interesting topics because their education is decades old.
You must read at least one great book a quarter, and ideally four.

Start now with the list above. They will literally make you a superior version of yourself, through no effort of your own other than reading them.

And keep it up.

—

I spend between 5 and 20 hours on this content every week, and if you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I recommend reading this in its native typography at Summary: The Inevitable — Understanding the 12 Technological Forces That Will Shape Our Future

—

Main concepts

Becoming – We are in a state of unceasing change and are continually learning and adapting (we are constant ‘newbies’) to the new that is unlike anything that was before.
Cognifying – Applied intelligence will be available just like electricity was over 100 years ago. It will be embedded into everything and change the nature of how things work.
Flowing – Stocks to flows, ownership to use. Atoms and bits are now flowing from creators to consumers who are themselves creators. We want things that flow, in time and space.
Screening – We will interact with information through screens. All information will become fluid, linked and tagged. All content and libraries will become symbols on screens we interact with.
Accessing – The availability of anything, atoms or bits, immediately without owning. Whatever you need you can get, and get the latest and best. Ownership is no longer necessary.
Sharing – Everyone creates and it’s all shared. Any idea, thought, expression or artifact can be contributed to by anyone and experienced by anyone if they so desire.
Filtering – Attention is the scare resource. Allocating it to an exponentially expanding universe requires filtering based on who we are. Future filters will both serve us and surprise us.
Remixing – Whatever is new is a remix of what exists. Remixing requires radical deconstruction and the ability to find the pieces to recombine and transform into something new.
Interacting – We will interact with our devices and with others in realistic virtual and augmented worlds. Our devices will ‘know’ us and we will know worlds and others through our devices.
Tracking – We will track and be tracked everywhere and everywhen. What we track will expand exponentially and become extra ‘senses’. ‘Coveillance’ will emerge where the watchers and the watched are transparent.
Questioning – Billions of connected people are creating a new level of organization where questioning is the norm and answers emerge from the collective. Unimagined questions beget unimaginable answers.
Beginning – Now is the time in which, 30 years hence, people will look back and say, ‘that was the dawn of the era we are living in’. These forces will shape our future and we are only at the beginning.

Summary from here.

—

I spend between 5 and 20 hours on this content every week, and if you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I recommend reading this in its native typography at Anatomy of the American Death Spiral

—

America is struggling in a way that it never has before. This is not like the last times. It’s not a recession. It’s not even a depression. It’s a catastrophe.

The reason this time is so different is that Americans have always had something solid to fall back on when things fell apart. 

We’ve had religion.We drew meaning from raising children.We drew meaning from doing a day’s work.

We no longer have those things.

Religion and work have been eroded by knowledge and technology, and our  focus on ourselves has largely surpassed our desire to sacrifice everything for our offspring.

This creates a Meaning Gap, and its vacuum is consuming everything we care about.

Jobs used to pay so much you could support two families on a single paycheck.

Some standup comedian

It’s a sad joke because it speaks to a primitive time where it was (almost) ok to have a mistress. But imagine being able to actually raise a family on what a parent brings in from a single, stable job.

Cause and effect

People don’t realize how essential good work is to the American psyche. And they also don’t realize how inevitable the progress is that’s removing that work.

Companies don’t owe us jobs, they owe shareholders profits. And they’re doing their absolute best to use AI, robotics, and other types of automation to replace the single largest drain on their bottom line: human workers.

As the jobs go away, and young males feel increasingly less valuable, they will be contorted into various demented shapes and behaviors—often including total withdrawal into video games, or acting out violently against a world that doesn’t need them.

You can’t get a president like the one we have today in a happy country.

Once the emptiness reaches enough people (which it clearly already has), we’ll start becoming vulnerable to extremely dangerous political rhetoric.

We’ll start believing that it’s not the technology and automation and natural human progress that’s the issue, but it’s the Blacks or the Mexicans or the Democrats that took everything away from them. Scapegoating is so predictable because it’s so effective.

In order to survive what’s coming, we are going to need to realize a few things:

It’s inevitable.It’s a natural result of human progress.It’s not caused by various groups around you who are benefitting from it.

Defusing any of those three would help us get through this, and would help vaccinate against the viral nature of hate rhetoric.

But that’s not the path we’re currently on. We’re currently on the path to blaming others and backing whoever will punish them the most.

America helped bring us the industrial revolution, and it’s going to be the first to experience the post-work revolution where most people simply aren’t needed for regular jobs like before.

The transition will be the hardest thing we’ve ever faced, and I hope we can survive it.

—

I spend between 5 and 20 hours on this content every week, and if you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I recommend reading this in its native typography at Explore

—

You can:

Read my tutorials.
Take a look at my projects.
Listen to the podcast.
Read the Newsletter.
Explore my most popular content.
Enjoy my recommended content.
Read my book on The Internet of Things.

Best,

—

I spend between 5 and 20 hours on this content every week, and if you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I recommend reading this in its native typography at Summary: The War on Normal People

—

These book summaries are designed as captures for what I’ve read, and aren’t necessarily great standalone resources for those who have not read the book. Their purpose is to ensure that I capture what I learn from any given text, so as to avoid realizing years later that I have no idea what it was about or how I benefited from it.

Capture


The number of jobs in the biggest companies is dramatically falling because they see employees as a cost and can raise productivity by hiring fewer people and doing more via automation.
> So what’s normal? The normal American did not graduate from college and doesn’t have an associate’s degree. He or she perhaps attended college for one year or graduated from high school. She or he has a net worth of approximately $36K—about $6K excluding home and vehicle equity—and lives paycheck to paycheck. She or he has less than $500 in flexible savings and minimal assets invested in the stock market. These are median statistics, with 50 percent of Americans below these levels. ~ Yang, Andrew. The War on Normal People: The Truth About America’s Disappearing Jobs and Why Universal Basic Income Is Our Future (p. 25). Hachette Books. Kindle Edition.
The main job groups are clerical and admin staff, then sales and retail, food prep and service, factory workers, and transportation. Then there are professionals, creative workers, tech workers, and a number of other designations. But most jobs that will be replaced will come from those first several.
> The average age of truck drivers is 49, 94 percent are male, and they are typically high school graduates. Driving a truck is the most popular job in 29 states—there are 3.5 million truck drivers nationwide. ~ Yang, Andrew. The War on Normal People: The Truth About America’s Disappearing Jobs and Why Universal Basic Income Is Our Future (p. 43). Hachette Books. Kindle Edition.
Automation and AI will hit white-collar jobs as well.
5500 floor traders used to be on the stock exchange floor, and now it’s less than 400.
Kensho is a report writing service that replaces 40 hours of work by a highly educated human with minutes of automation.
No, we’re not going to have new jobs to replace the old ones lost to automation and AI.
> The test is not “Will there be new jobs we haven’t predicted yet that appear?” Of course there will be. The real test is “Will there be millions of new jobs for middle-aged people with low skills and levels of education near the places they currently reside?” ~ Yang, Andrew. The War on Normal People: The Truth About America’s Disappearing Jobs and Why Universal Basic Income Is Our Future (p. 74). Hachette Books. Kindle Edition.
Retraining doesn’t really work.
The place you live matters a LOT, and most of the jobs are in the cities, while most of the displaced jobs will be outside of cities, which are the same places suffering already.
The unemployment rate doesn’t show people underemployed or not looking for work. In reality, the rate is FAR higher.
We’re going to see higher productivity when the next recession hits because that’s when companies are going to lay off a ton of people and replace them with automation. That’s harder to do when things are going well.
Financial services and technology are taking most of the educated people
He jokes about Stanford being called SIT now (like MIT) because nobody’s doing humanities anymore.
Scarcity is a poison that makes you less intelligent.
Marriage is now an upper-class thing.
Startups are like parenting: everyone has an opinion but nobody has a clue. His whole list on this is great.
People who are displaced have no meaning structure, which is why we’re seeing so many people on drugs and disability.
Young males are basically living at home and playing video games.
A massive percentage of people who get displaced get on disability, and then never get off. And they’re discouraged from doing anything for fear of losing that check.
The solution is we have to pay people to live, which will give them room to become productive.
Some people will abuse it, but most won’t. It’s not enough to live on by itself.
This should replace existing programs, not just add to them (which he is against).
He also talks about social currency, where you get paid in some type of credits for doing things that help people and society.
UBI has been endorsed by many conservatives as a simplified way to enable individual bootstrapping.


Lessons

When you have this much decline and suffering and lack of meaning you’re going to see a major move towards racism, and populism, which we’re already seeing.
This is what got us our current president. This was due to tech / productivity increases removing manufacturing jobs and creating this vacuum of meaning and trust. That opens the door to the scapegoating of outsider groups.

Takeaways


If you read this book you will realize that the system that America is breaking down, and that it must be replaced. This is not a dip or a recession, it’s a fundamental unmaking of the structure of society because everything was based on people having jobs that provided meaning.
We don’t have religion anymore. People don’t get the same value from being home-makers anymore. And the jobs that used to provide meaning are being obsolete due to automation.
This combination will destroy the foundation that makes democracy possible (a solid, educated population), and will push us right into a top rich class of 10%, and a bottom 90% that basically provides services for the top 10%.
This is not sustainable. It will lead to more and more extreme leaders (Trump2 anyone?) and ultimately the very rapid decline of America as we remember it.
The solution is to pivot VERY QUICKLY towards UBI and finding other ways for humans to provide meaning for themselves, and value to others.
This change is going to happen either way; the question is can we address it beforehand with less pain, or afterwards with maximum suffering.
That’s a matter of foresight and courage.
Try to get as many people as possible to read this book and to absorb its lessons.
The more people who get the message the better the chance that we’ll be able to make the necessary changes.
And in the short-term, make sure the people you care about are getting a degree and focusing on work that will be resistant to automation.
Make sure you teach them how to find meaning outside of a standard job. They need to know how to create it for themselves.

You can find my other book summaries here.

Notes


This is why I am so passionate about the influencer scene, where people are building audiences and followings based on something they do well. It’s not about video games or whatever else they’re doing. It’s about someone doing what they enjoy and providing some kind of value to others. Peer-to-peer is the future of value exchange because the middleman doesn’t need you, and you have to learn how to to cut him out.

—

I spend between 5 and 20 hours on this content every week, and if you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I recommend reading this in its native typography at Humans Oscillate Between Wanting Novelty and Familiarity

—

I was listening to a random episode of the a16z podcast a few years back, and a guest on the show said something random that I thought was profound. I’m not sure the exact quote, but it was something like:

We bounce back and forth between wanting something new and wanting to experience patterns that we recognize.

It was a note inside of a comment inside of a point, but it impacted me greatly. It immediately brought many examples to mind—mostly around art—but across many genres.

In music, we like a new rhythm, beat, or harmony, but we also enjoy hearing it in each verse. And when we hear the song again, it’s the hook (the pattern) that we’re waiting for.
In stories, we like to hear about different characters, but we ultimately want to see them go on the Hero’s Journey.
In both cases, if you repeat a pattern—even a pleasant one too often—it becomes boring and/or annoying.

I think this specifically relates to survival and the signaling of value, but I’m not sure.

I think this comes, as so many things do, from evolution. I don’t know the exact mechanism, but I think we’re tuned to find novelty because it could give us an advantage, and we’re tuned to find known-good patterns because we know they’re safe.

It’s a powerful concept for any creator.

The challenge is to constantly tweak the balance between new and repetitive in a way that keeps the viewer or user at optimal stimulation. Too much novelty and they crinkle their faces in confusion and rejection. Too much repetition and they yawn with boredom.

Of course, this depends on the person as well. I bet people who score high in Openness on an OCEAN personality test lean heavily towards wanting more novelty, and those who score low probably want more returns to (conservative) patterns.

I started learning to make EDM music recently, and it struck me here as well.

I see this in everything now. It’s in how I communicate. It’s in how I present material. I see it in the books I read, in the music I listen to, and in arguments I see people make.

Everyone is open or closed to new things, and that controls—for the last few moments or minutes of your interaction—whether you’re presenting them something they’re comfortable with that calms them, or something that’s new to them that exhilarates them. You have to know where they are in that cycle to know how best to continue.

So, think about this oscillation as you move through life. When you hear a pitch, or a song, or a story, notice when you’re being exposed to the novelty, and when you’re being reassured with safe patterns.

I find it fascinating, and I hope you will now as well.

—

I spend between 5 and 20 hours on this content every week, and if you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I recommend reading this in its native typography at Humans Oscillate Between Wanting Novelty and Wanting Recognition

—

I was listening to a random episode of the a16z podcast a few years back, and a guest on the show said something random that I thought was profound. I’m not sure the exact quote, but it was something like:

We bounce back and forth between wanting something new and wanting to experience patterns that we recognize.

It was a note inside of a comment inside of a point, but it impacted me greatly. It immediately brought many examples to mind—mostly around art—but across many genres.

In music, we like a new rhythm, beat, or harmony, but we also enjoy hearing it in each verse. And when we hear the song again, it’s the hook (the pattern) that we’re waiting for.
In stories, we like to hear about different characters, but we ultimately want to see them go on the Hero’s Journey.
In both cases, if you repeat a pattern—even a pleasant one too often—it becomes boring and/or annoying.

I think this specifically relates to survival and the signaling of value, but I’m not sure.

I think this comes, as so many things do, from evolution. I don’t know the exact mechanism, but I think we’re tuned to find novelty because it could give us an advantage, and we’re tuned to find known-good patterns because we know they’re safe.

It’s a powerful concept for any creator.

The challenge is to constantly tweak the balance between new and repetitive in a way that keeps the viewer or user at optimal stimulation. Too much novelty and they crinkle their faces in confusion and rejection. Too much repetition and they yawn with boredom.

Of course, this depends on the person as well. I bet people who score high in Openness on an OCEAN personality test lean heavily towards wanting more novelty, and those who score low probably want more returns to (conservative) patterns.

I started learning to make EDM music recently, and it struck me here as well.

I see this in everything now. It’s in how I communicate. It’s in how I present material. I see it in the books I read, in the music I listen to, and in arguments I see people make.

Everyone is open or closed to new things, and that controls—for the last few moments or minutes of your interaction—whether you’re presenting them something they’re comfortable with that calms them, or something that’s new to them that exhilarates them. You have to know where they are in that cycle to know how best to continue.

So, think about this oscillation as you move through life. When you hear a pitch, or a song, or a story, notice when you’re being exposed to the novelty, and when you’re being reassured with safe patterns.

I find it fascinating, and I hope you will now as well.

—

I spend between 5 and 20 hours on this content every week, and if you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I recommend reading this in its native typography at DNS Rebinding Attacks Explained

—

A lot of people have questions about the concept of DNS Rebinding attacks, and many of the overviews dive too deep into the details. Here’s a simple explanation that should help those having trouble getting it.

DNS Rebinding lets you send commands to systems behind a victim’s firewall, as long as they’ve somehow come to a domain you own asking for a resource, and you’re able to run JavaScript in their browser.

Here’s how it works.

If you can get someone to make a request to a domain that you own, you can give them a DNS response that maps host.domain to an IP address—say, 1.2.3.4.
If you set the TTL of that response really low—like 10 seconds—you force the system to constantly check again to see what the IP is for host.domain.
If you know (or think) the victim has a given type of system on their internal network—like a router, or an IoT device—that you could control if you were on the same network, you can use a piece of malicious JavaScript running on their browser (because they came to your site) to make requests to that system, e.g., https://host.domain/set-dns-server?se....
When this command is first sent, it’ll be sent to IP 1.2.3.4, because that was the initial IP address that you sent the victim for host.domain.
When the client next updates the DNS record (in 10 seconds, because that’s what you set the TTL to), you then respond back with 192.168.1.1, so the victim’s browser then sends https://host.domain/set-dns-server?se... to 192.168.1.1!
If the router is vulnerable to what you send (perhaps using default credentials or no credentials at all), it will update the DNS server of that router to point to the bad guy, which is probably you again.
Repeat as desired to find the right IP internally, and/or to send different kinds of commands to different devices internally.

They don’t need to redirect to an internal IP, and could just as easily send you somewhere else on the internet to bypass the Same Origin Policy.

Basically, you have them request something from you, you give them take a short-TTL name-to-IP mapping, you inject some JavaScript in their browser that makes malicious requests, and then you change the IP via DNS update on your side to point to all the target IPs behind their firewall.

It reminds me of what I speculated about in 2016, where one might use SSRF to do the same thing to exposed IoT device services.

What makes DNS Rebinding so interesting is that it takes advantage of two major features in the fundamental structure of the internet—which aren’t changing any time soon:

The fact that visiting browsers run your JavaScript by default (including things like BeEF hooks), and…
The ability to set low TTLs on DNS responses so that you can constantly rotate the mapped IPs

Brilliant.

Defenses

Because the attack takes advantage of these fundamental components of the internet, the defenses are non-trivial. They generally include:

Restrict the running of JavaScript (so the attacker can’t force requests).
Pinning IPs to names (so they can’t rotate).
Don’t accept TTLs below a certain size (so they can’t rotate).
Don’t accept DNS responses (for external domains) with private addresses (so they can’t rotate to internal resources).
Likely others as well…

Stay safe out there.

Notes


Image from Dark Web News.
The Wikipedia article on DNS Rebinding.

—

I spend between 5 and 20 hours on this content every week, and if you're someone who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel