Unsupervised Learning Newsletter NO. 337

China Surveillance, Cyber Bills, and Recon Tools…

NO. 337 — STANDARD EDITION | JUN 27 2022

Good morning and welcome to Summer 2022. I hope you have a great week.
— Daniel


The NYTimes Analyzes China's Surveillance State Plans
The NYTimes spent a year going through over 100,000 government bidding documents, and they've constructed a clear vision of what the government is trying to build. The plans include the combined use of cameras, DNA databases, mobile phone access, and microphones to match people's race, ethnicities, voiceprints, clothing, vehicles, friends, social contacts, etc.—to make most public places into capture zones where they can identify and track people in multiple dimensions. Now add that to the various social credit system plans and you have tremendous leverage over the population. The only upside I see here is that these plans are so draconian, and so transparent, that it could cause many of the most talented to leave the country, and the rest of the world to ostracise China's government. Hopefully that happens before China fully builds and implements this stuff, and starts exporting it to other would-be authoritarian regimes. More | Example Interface | An Invisible Cage

BEC Attackers Starting to Impersonate Third-party Vendors
Abnormal Security says BEC attackers are more frequently switching tactics to impersonating third-party vendors and suppliers. This is a switch from mostly impersonating internal executives and other VIPs. They say third-party impersonation made up over half of attacks in May of 2022. More

Attacker Selling Access to Networks via Atlassian Vuln
An attacker is selling access to 50 different networks that he got access to via the recent Atlassian Confluence vulnerability. The actor said they were also selling access to 10,000 additional hosts that were compromised using the flaw. More


The Metaverse: An Unprecedented Attack Surface

In the last year, there has been a sharp increase in the overall awareness of the Metaverse and digital assets.

Traditional cybersecurity threats are likely to be accompanied by fresh challenges in the Metaverse, as the required integration of emerging platforms, protocols, and technologies will almost certainly present an unprecedented attack surface.

Read the Zerofox Metaverse intelligence report to learn:

  • The Metaverse’s key concepts

  • Current players and trends

  • Examples of emerging cybersecurity risks in the Metaverse

  • Associated regulatory and legal considerations

Chinese Attackers Using Ransomware to Hide Espionage
SecureWorks says Chinese attackers are more frequently using ransomware to make it appear they're lower-level attackers going after financial gain, when their real goals are likely intellectual property. They estimated that 75% of the targets they looked at are likely interesting to China based on their location and business verticals, e.g., pharmaceutials. More

2 New Cybersecurity Bills Signed Into Law
The Biden administration signed two new bills into law. The first removes red tape that will allow federal workers to share knowledge with multiple agencies. The second improves coordination between DHS and state and local governments. More

CISA's Cloud Security Technical Reference Architecture
CISA has released its Cloud Security Technical Reference Architecture, which clarifies considerations for shared services, cloud migration, and cloud security posture management as it fulfills a key mandate in delivering on Executive Order 14028, Improving the Nation's Cybersecurity. More

Automatic CAPTCHA With iOS
iOS 16 is looking to solve some of the annoyance of CAPTCHAs by transparently proving to the website that you are a real person. Yes, please. This is also within the theme of "passwordless" with its FIDO2 support of WebAuthN. I love all of it. Super happy to see the mobile phone take more of a dominant role in proving things about ourselves. I mean they know if we're logged in with our finger or face, right? So why couldn't they securely pass that on to a given website? More


Alexa Spoofing Dead Relative Voices
Amazon is showing off a feature that will let Alexa learn to speak in a voice of anyone, including a dead relative, by sampling off just one minute of audio. So if you have the voice of a loved one you can have them speak to you using that voice forever. We knew this type of thing was coming, but impressive that it's here already. More

The Zoomification of Slack
Slack is getting Video Huddles, which is going to make it a lot more like Zoom. The feature will release in fall, and will include reaction emoji, effects, and stickers that will be very familiar to Slack users. I think this will be great for people who already use Huddles for 1:1 communication; the real question will be whether it gets adopted as the default for larger scheduled meetings. More

Apple's AR/MR Headset Rumored for January
A number of Apple analysts (including Ming-Chi Kuo) are saying the rumored Apple headset will actually launch in January. Seems early, but what do I know. Other support for this timeline comes from Tim Cook being more chatty about the project recently, which is new for him. More

Instagram's Face-scanning Age Verification Tool
Instagram is testing an AI tool that scans your face to verify your age. Previously you would verify your age by sending in ID card images, and now you're going to be able to get people to vouch for your age or use the AI tool to estimate it. More

Twitter Notes
Twitter is testing a new feature called Notes where you can append a permanent, long-form version of your tweet. It's essentially a play to capture some market share from blogging platforms, but I don't see it as a good solution for that. A blog is more than a place to put a long block of text; it's a domain that you own, and where Google can discover your content. A digital home base. I feel like Twitter has too many lazy jabs at products like this, and too few full-power punches. More

Metaverse Standards
Meta has wrangled a number of companies into creating some "metaverse standards", including Qualcomm, NVIDIA, Microsoft, and a few others (no Apple of course). This to me feels like a continued play at establishing themselves as leaders in the metaverse, when nobody even knows what it is yet. It's almost like the game is simply, "Talk a lot about it, establish standards, put out marketing videos, etc.—so when people think metaverse they think of us…". Now that I hear the words, though, I guess I've heard worse strategies. More


Roe vs. Wade Overturned
The SCOTUS has reversed Roe vs. Wade, putting the legality of abortion back to the states. Multiple states have outright banned the practice, and many others have placed restrictions on it. Multiple tech companies have come out saying they would pay for any employee who needs to travel to safely have the procedure, and meanwhile Meta has banned employees from discussing the ruling. More

A Frozen Woolly Mammoth Has Been Discovered in Yukon
A paleontologist found an intact wooly mammoth in Yukon, Canada. It's estimated that the mammoth died 35,000 to 40,000 years ago, and it's being called the most important discovery in paleontology in North America ever. "She has a trunk. She has a tail. She has tiny little ears. She has the little prehensile end of the trunk where she could use it to grab grass," said Zazula. More


Where Are All The New Creators?
There's a great new piece out called Where Did the Long Tail Go, which talks about how technology was supposed to find us new movies, new music talent, new writers, etc.—and bring them to the forefront for all to see. Except it didn't happen. Instead we're seeing the opposite, where the main people keep getting all the visibility. I personally think this is a technical problem that needs to be solved with AI. I created an Amazon PR for a fake product called Amazon Curate that does this for blog content, but it's theoretical. The point being that the long tail doesn't matter if it's not parsed and harvested, which is uniquely suited for AI. The final piece of that, though, is having someone benefit from the discovery financially. Part of the problem is that what makes something a commercial success is often familiarity and not just quality. So sequels from known artists are safer bets. But I think having a large enough quality jump could be the solution. More


I will be speaking at the CISO Summit at Blackhat and the Recon Villiage at DEFCON this year in Vegas. My CISO summit talk will be on the program I'm running at work, and my Recon talk will be on building an Attack Surface Management product using nothing but projectdiscovery.io tools for virtually no money. Should be super fun. My buddy Jason Haddix will be at both events doing his own two talks as well, so if you're around DEFCON you should come say hi. Do note that I'll likely swoop in, speak, and head for a well-ventilated area, however, so let's prearrange a good spot to say hello.

We're looking to do a UL Dinner in Vegas as well. It'll be outside or somewhere with otherwise excellent ventilation. Stay tuned in the UL Slack channel.

We just created a referral program for the newsletter, and you can use your unique link to share with friends and social media if you like the show. I have been too shy about asking for referrals and would really appreciate your help getting the show out there! Thank you. Your Referral Page

If you have any comments on the updated newsletter design this week, please hit reply and let me know! I'm continuing to make upgrades and would love feedback!

I'm on the iOS 16 beta and the thing I notice the most is how much better dictation is. I mean, it's really good now. The voice messages feature within Messages is much better now as well. Solid improvements in features I use a lot.

This week's UL Book Club was excellent. The book was, The Difficulty of Being Good, and we were all surprised by how great, and how deep the book was. The conversation was quite substantive, bringing us from the original text discussed in the book all the way to current events. And we selected the new book for July as well, which is The Second Mountain, by David Brooks.

I am deeply disturbed by the SCOTUS ruling on Roe vs. Wade. I have many thoughts on it, but they are too chaotic to formulate into words right now. Perhaps the summary is that I see the ruling as pro-religion at the cost of being anti-woman and anti-human. I captured my thoughts on the topic back in 2020 as well, and I think they still hold for me. More


CrowdSec — The Massively Collaborative Cyber Defense Solution

Discover CrowdSec, an open-source and collaborative intrusion detection and prevention solution. Analyze visitor behavior & remediate various attacks such as brute-force, scans, scraping, scalping, and more. Each time an IP is blocked, all community members are informed so they can also block it as well — making the solution not only reactive but also preventive.

Thanks to the collaborative CTI, CrowdSec users experience 90% fewer attacks on their servers. As of today, the tool is being used in 160+ countries, and the community flagged 2M+ malicious IPs.


Khaby Lame is the new #1 on TikTok, dethroning Charli D'Amelio. More

Editing Means Writing Less More

[ AI Drawing ] Craiyon — An AI model that can draw images from any prompt, similar but different from OpenAI's DALL-E. It's not as powerful, but it's open to everyone. More

[ RECON ] xnLinkFinder — A tool by xnl-h4ck3r used to discover endpoints for a given target. It can find them by: domain/URL, directory crawling, Burp XML parsing, or ZAP project parsing. More

[ RECON ] Linx — Reveals invisible links within JavaScript files. More

[ RECON ] Waymore — Another amazing tool by xnl-h4ck3r, Waymore will get wayback machine links from the Wayback Machine (with filters and options to get what you need) in addition to checking ALL Common Crawl index collections if required. More

[ DATABASE ] SQL Queries Against CSV — A one-liner that lets you run SQL queries against CSV files without using SQLite. More

[ DATABASE ] Dolt — Dolt is a SQL database that you can fork, clone, branch, merge, push and pull just like a git repository. Connect to Dolt just like any MySQL database to run queries or update the data using SQL commands. More


If you're going to Vegas, consider taking extra time to pre-plan for events that will be outdoors or otherwise well-ventilated. And encourage event coordinators to require masks. If people cram together again like they did at RSA there's no reason to expect a different outcome.


"In the midst of winter, I found there was, within me, an invincible summer. And that makes me happy. For it says that no matter how hard the world pushes against me, within me, there’s something stronger – something better, pushing right back."

— Albert Camus