Unsupervised Learning Newsletter NO. 344
News & Analysis
🗞️ NO. 344 | AUG 15 2022
Ok, a bit of an abridged episode this week due to BH/DC. I hope you either avoided getting sick from Hacker Camp last week, or that you're getting through it ok.
MailChimp had a breach that exposed DigitalOcean email addresses, causing DigitalOcean to change email providers. MailChimp told BleepingComputer that 214 accounts were compromised through phishing and social engineering. More | Disclosure
Oracle says it's now monitoring TikTok's algorithms and looking for indications that pro-Chinese content is being promoted unfairly. In June they said they moved US traffic to Oracle servers, and this continues the company's campaign to convince US lawmakers and users that the platform is safe from Chinese influence campaigns. More
18 tech and cybersecurity companies co-launched a proposed standard for sharing cybersecurity information called the Open Cybersecurity Schema Framework (OCSF). The goal is to standardize things like alerts and logs from various tools, and to help streamline data pipeline creation for training AI models. Primary participants include Amazon, Splunk, IBM, Crowdstrike, Rapid7, Palo Alto, and Cloudflare. More | Paper
Benchmark Your Cloud Configuration in Minutes with JupiterOne
See how your configuration compares against CIS Foundations benchmarks in just a few clicks. Once your cloud provider is integrated with JupiterOne, this framework is automatically imported based on which cloud provider you use, giving you greater understanding of how to improve your configuration and security posture.
Apple is pushing its Passkey technology in iOS 16, which is essentially a non-phishable password replacement that uses FaceID or TouchID to authenticate using public-key cryptography. The idea is that weak passwords, credential stuffing, and phishing are some of the worst security problems facing users, and Passkeys remove the problem by eliminating passwords altogether. It's one step instead of two: you pick your username and it signs you in with your face or finger. I can't wait for this to propagate across the internet. More | Video
Google and Facebook are strengthening their language on people who are employed but aren't working hard. A while back Zuckerberg said on a call that a bunch of people probably shouldn't be there, and that he was looking for them to self-select themselves out the door. Pichai of Google recently said much the same, saying he wanted "more hunger" from employees. Meanwhile, Apple said they're starting three days a week in the office. Seems like an identical message from MANGA: Work harder or GTFO. More
Teen use of Facebook has fallen from 71% in 2015 to 32% in 2022. YouTube still dominates at 95%, with TikTok coming in at 67%, followed by Instagram and Snapchat. More
Rich people in the US are moving to Florida at four times the rate of any other state. It, along with Texas, is one of two states with no state income tax. The list of top 10 migration states was glaringly Republican, so it's natural to wonder how much the trend is taxation-based. More
A new study showed that it was easier to grow bicep size and strength through short daily lifts rather than longer lifts twice a week. More
CONTENT, IDEAS & ANALYSIS
✍🏼 Creativity Comes From Idleness
My new short piece on why showers and walks produce creativity. More
I read this excellent post about creating viral blog post titles using GPT-3 and tried one of the suggested prompts. Remarkably good! And as most things with GPT-3, it's equally terrifying. We're getting fairly close to being able to pitch an idea, with a little bit of content, and have GPT-N write you a great title, a great essay, and probably tell you where and when to post it. Then it'll be the battle of the ContentAI Farms. We'll need new models to try to detect if something was written by a human. If anyone even cares at that point. More | Example Output
It sounds like BH/DC is shaping up to be another superspreader event. Not sure what the official threshold is there, but according to the anecdata on Twitter there are a lot of cases kicking in. How is it that our industry is so bad at risk management? And is it a knowledge problem, or a social isolation problem, or a business problem? Or all of them? I have friends in sales who have basically been told to get out there and have those meetings in Vegas. In person. And that if they want to prioritize their health they should also prioritize not working there. And for much of the hacker community, I think it comes down to community. In short, we're starved for human connection, and if Covid isn't going to kill me, it's probably worth getting once or seven times. I'm not sure what the cocktail of reasons are, and they're different for everyone, but I can't wait for this to just be a common cold thing. Assuming we get to that point. Maybe we just mask up most of the time at conferences from now on. Why? Covid, sure. But also ConFlu and actual Flu, and whatever else. I can't wait until we can just vaccinate, mask, and go about our lives without facing potential longterm risks.
It was wonderful seeing so many security friends last week. I mostly stayed outside and hopefully that will keep me from getting the funk again, but who knows. One thing I do know is a lot of hackers, despite their reputations, really need to see their friends. Curiosity is contagious as well, and many in our community love to be amongst our own, in person, sharing what we've been working on. I can't wait until it's more safe to do so.
I had a lot of fun speaking at the Blackhat CISO Summit on Tuesday. I spoke about the Vulnerability Management program we've been building at Robinhood, and the talk was enthusiastically received. So many follow-up conversations to be had in the next few weeks!
Last Tuesday morning I got barraged by multiple people telling me that I was just mentioned in the BlackHat Keynote. Apparently, Chris Krebs had a quote in there from me about Why Software Remains Insecure. "Basically, software remains vulnerable because the benefits of making insecure products far outweigh the downsides. Once that changes, software security will improve but not a moment before." Very cool of Chris to put that in. He and I had talked about him using the quote, but I didn't know it was for the BH Keynote! More | Essay
Was super great to hang with @mugwumpjones at Hacker Camp. Such a sharp and creative mind. Our conversations are always so fun across multiple topics. You should never miss an opportunity to share ideas with her. More
⚙️ RECON | WTFIS
A command-line tool that gathers information about a domain or FQDN using various OSINT services. Unlike other tools of its kind, it's built specifically for human consumption, providing results that are pretty (YMMV) and easy to read and understand. More | Sample | by PirxThePilot
⚙️ APPSEC | STRIDE -> ASVS
A mapping between the STRIDE threat modeling framework and the ASVS assessment methodology. More | Mapping | by Mllamazaraes
⚙️ OFFSEC | ScanBox
A collection of security scanners across 10 different categories. More
⚙️ OFFSEC | BlueHound
An open-source tool that combines permissions data, network access, and vulnerability data to visualize the paths an attacker might take to pivot within your network. More
⚙️ OFFSEC | Azure_Workshop
This is a vulnerable-by-design Azure lab containing 2 x attack paths with common misconfiguration. These vulnerabilities are intended to represent those found in live production environments and the attack vectors are intended to be as realistic as possible to real Threat Actors TTPs. More
A Blackhat/DEFCON roundup. More
An Autonomous Reputation System More
How I Wish I Could Organize My Thoughts More
Replacing Your Blog's Images With DALL-E Generated Pictures More
7 Things I Learned Doing Stand-up Comedy More
SSH Tips and Tricks — Two of my favorites were SSH'ing into tmux, and using a YubiKey. More
ML Interview Questions More
The Power of Hugs in Anime More
Maybe having lots of unread books keeps you humble. More
Don't let anyone tell you what your risk posture should be. Just make sure you have one. Do your best to make sure you have a model of the risk, and that when you expose yourself to danger you're doing so in a calculated and somewhat measurable way. The trick is knowing what's "worth it", and being deliberate about the risk tradeoffs being made.
"Don`t walk behind me; I may not lead. Don`t walk in front of me; I may not follow. Just walk beside me and be my friend."