Unsupervised Learning Newsletter NO. 333
News & Analysis
STANDARD EDITION | EP. 333 | MAY 31 2022
I'm back! Sorry for the unexpected break last week; been dealing with multiple weeks of really bad sinus infections (and taking multiple Covid tests throughout). I figured out the cause (failing to rotate my allergy medicine every few months that was causing massive inflammation), and we're back on schedule!
Verizon released the 2022 version of the DBIR. Here were my biggest takeaways:
Use of credentials was the biggest attack vector, followed by phishing (which targets credentials). This calls massive attention to the need for 2FA. Exploit/Vuln was insignificant compared to Creds/Phishing.
Ransomware continued to rise in prominence. No surprise there, but they point out that ransomware is just what they do after they're in, and still need to start with Creds/Phishing/Exploit defense.
Miscofiguration (especially of cloud storage) featured heavily, which resonates with the data I've seen elsewhere over the last year.
82% of breaches involved a human element.
80% external actors, 20% internal.
Motive was overwhelmingly Financial (~90%), followed distantly by Espionage (~8%).
In short, our biggest industry problem is still the use and abuse of weak usernames and passwords, and the faster we move to "passwordless" solutions like FIDO2/YubiKey the better. Our second biggest problem is the extreme organization and efficacy of ransomware groups once they get in. And our rising problem that involves both of those is the fact that businesses rely on other businesses to do what they do, so you can attack a company by hitting them directly or by going after their partners. This is just now reaching the painfully obvious stage, and we should expect both attackers and defenders to be putting more energy into this space.
Great job once again to the DBIR team. Read the Report
Team Cymru says attackers are increasing their use of a browser automation platform called Bablosoft. The tool is able to emulate various browsers, emulate human clicks, and leverage proxies. More
The Metaverse: An Unprecedented Attack Surface
In the last year, there has been a sharp increase in the overall awareness of the Metaverse and digital assets.
Traditional cybersecurity threats are likely to be accompanied by fresh challenges in the Metaverse, as the required integration of emerging platforms, protocols, and technologies will almost certainly present an unprecedented attack surface.
Read the Zerofox Metaverse intelligence report to learn:
The Metaverse’s key concepts
Current players and trends
Examples of emerging cybersecurity risks in the Metaverse
Associated regulatory and legal considerations
Researchers in Italy found that APTs largely share known vulnerabilities with each other, and not 0-days. They looked at 350 campaigns and 86 APTs and found that only 8 of the 86 actors used vulns that others didn't. More
Greenland (population ~56,000) suffered a cyberattack that "severely limited" its health services. They didn't say if it was ransomware or not, but they had to restart virtually every IT system they have. More
There are multiple vulnerabilities in VMware products, including a CVSS 9.8 vulnerability related to authentication. More
There's an 0-Day in Office that's being actively exploited. More
Zoom vulnerabilities fixed last week required no user interaction. Update before you get started with meetings this week. More
Apple is testing a new iPhone-to-iPhone payment technology that will let people and merchants receive payments via NFC. This is massive. Before this, people had to use a separate NFC reader or card swiper to receive payments on an iPhone. I think this will quickly become a really popular way to split bills among friends at restaurants, and will allow more small merchants to take digital payments. More
Walmart is about to be delivering products to 37 states using drones, reaching 4 million households. It's so interesting how certain technology like drone delivery and AI go from sci-fi to casually adopted so quickly. More
Broadcom is buying VMware for $61 billion. More
In a story that doesn't receive nearly enough coverage, China has basically identified Islam (or at least the Uyghur culture) as a threat, and has built re-education camps (see Concentration) to control the problem. This BBC story captures this story with clarity I've not seen anywhere else. I'm happy to see more and more companies starting to pull their production out of China. Between their outright hacking to steal anything of value from the world, to the repression of its own population, to actual camps to erase a culture, it's time for the world to label the current country as outright malicious. I empathize with their desire not to be second-class citizens on the world stage, but this hyper aggression isn't the way. More
The CDC says 1 in 5 US adults who recover from Covid could end up with Long Covid. More
A preprint (use more caution) study of variants found that BA.2 was actually more severe than BA.1, meaning it's not a given that strains become milder over time. More
Finland's Green Party has endorsed a move to nuclear power. It made the move by reframing nuclear energy as "sustainable energy". Now if only we could get the US and Europe to see this. More
San Francisco had the largest population drop of any major US city, at 6.3%. More
Conan O'Brien has signed a $150 million podcasting deal with SiriusXM. More
CONTENT, IDEAS & ANALYSIS
Newsletter Analysis: What My Favorite Newsletters Have in Common — I broke down a ton of attributes from my favorite newsletters and did some analysis on them. More
Pinning Down the Metaverse — I think the Metaverse primarily comes down to experiencing existing realities in an enhanced way, and constructing new realities that are preferred or useful for various reasons. So basically, enhancing reality and constructing new realities. When you think of Zuckerberg's version it seems to be mostly about enhancement of our reality. Like virtual meetings. And if you think of gaming and VR, it's more like creating other worlds. But these mix into each other, because you might use VR technology to experience existing reality in a different way. And you might use an immersive game to escape from reality and become someone else, or you could use it as a therapeutic tool to help you function better in your primary reality. More thinking to come on this, but start looking at various metaverse conversations as either enhance or escape, and see if that's informative.
A friend at OpenAI extended me an invite to DALL-E 2, and I've been playing with it for the last few days. It honestly feels like I'm messing with something from the future. Awe is a good word to use because it includes both wonder and fear. Here are a couple of images I've created. A stained glass window shaped like a robot. A Van Gough painting of two robots holding hands under the stars. The fact that all these can be created in like 10 seconds is unspeakably stunning to me. Like it knows what Stary Night is, and can take any concept, draw the picture, and then stylize it as Starry Night. It's just unreal. I seriously spent like 5 hours with it on Sunday night. Both GPT-3 and DALL-E (actually part of GPT-3) give me the distinct feeling that humanity is about to be ambushed. I honestly think everyone in the UL community should read Homo Deus and think about what it will mean to become part of the Useless Class. Maybe not you. Maybe not tomorrow. But for your younger loved ones. Now is the right time to start preparing for computers to be able to do many/most things better than many/most people.
I've had a coffee grinder on order for around three years that is (theoretically) shipping soon. Cannot wait. I like my hand grinder, but I don't like using it every day, for every cup. It's the EG-1, by Weber. More
I'm thinking about moving my whole creation stack to Ghost. I've thought about it for a couple of years now, but with version 5 it's getting increasingly compelling. Basically, it would be Memberful (memberships and payment), Wordpress (website), and Mailchimp (newsletters)—all in one platform. I long for that simplicity, especially since I am about to do a lot more on the member content side. The only question is what I'd lose in exchange, and how each of those weighs in the run.
There are many things to be disturbed about with the massacre in Uvelde. But one that's really getting me is how the shooter fired from outside the school for 12 minutes before going in. And there were many armed police who responded almost immediately who apparently decided not to engage out of fear. Why do we have all these brawny police Batman belts, and SWAT teams, if we're not going to put ourselves in danger when we need to? To protect elementary school kids no less. Seriously unsettling. More
🔥 The Shame of Uvalde and the Sacrifice of Memorial Day More
I Get The Reference, But Who Cares? — This piece expertly captures what I dislike so much about fetishized nostalgia. I have more to add to it actually, which is that over-indexing on nostalgia often turns into resignation that your best years are in the past, which is a horrible way to think about life. You should also be following this guy if you're not. More
A respected professor from MIT argues that success is largely determined by one's ability to do three things: 1) to speak, 2) to write, and 3) to have quality ideas. I'd have used a different order I think. Probably, 3, 2, and 1 actually. More
OKR Failure Modes. A good link, but I'd add "lack of measurability" to the list. More
The top 1% of new ideas encountered by Sahil Bloom. More
List of School Shootings in the United States More
You've heard of CyberPunk, but have you heard of SolarPunk? Absolutely amazing. More
[ OFFSEC ] Arsenal — A quick inventory, reminder, and launcher for common pentest commands. More
[ RECON ] Amazon Quicksight — Amazon Quicksight is a powerful tool for visualizing Recon and other security-related data. More
Get your Goodreads in order. Or whatever similar system you use. The goal here is not to pat yourself on the back for reading so much, but rather to put some numbers and structure around what you're reading to encourage yourself to continue. It's also an opportunity to look at your queue and either abandon or promote things accordingly. Finally, it's an opportunity to find your top N books and write a quick summary of why you liked them, either on Goodreads itself or preferably on your own site/PKM.
"Despair is a narcotic. It lulls the mind into indifference."
— Charles Spencer Chaplin