Unsupervised Learning Newsletter NO. 349

News & Analysis


Uber got all the way hacked, supposedly by an 18-year-old who shared his activities with multiple security researchers. It started by phishing an employee's 2FA code by pretending to be IT, and from there he got VPN access, access to Slack, a file share containing scripts with hardcoded creds, AWS, GSuite, VSphere, Duo, OneLogin, and…well…basically everything. Including its HackerOne program, which had all its previous vulnerability reports. As I said on Friday morning, it's easy to poke fun at a big company being owned this bad by a teenager, but the truth is most companies are just as vulnerable. Passwordless (FIDO2, etc.) won't solve everything, but it can't come fast enough. NYTIMES | WIRED | TWEET

CISA and NSA have published a new document titled Open Radio Access Network Security Considerations, which is how they recommend running 5G Open RAN implementations in the safest and securest way possible. ANNOUNCEMENT | PDF 

The US DHS is spending around $700,000 to investigate radicalization in gaming. They're mostly focused on terrorism and politics, but I'm hoping they can check in on the racism and sexism while they're there. MORE

🔭 Compass CISO JJ Agha on Relentless Iterations and What He Expects from a Modern SIEM

JJ A. is the CISO at Compass, the largest real estate brokerage in the US, and previously spent over four years as VP of InfoSec at WeWork, along with time as a security engineer at Vimeo and Priceline. On this episode of Detection at Scale, JJ shares how he builds his team, when to buy vs build, what he expects from a modern SIEM, and more!


  • Rockstar Games announced a breach on Twitter. MORE | GTA 6 LEAK

  • Uhaul had a data breach involving an unknown number of customer names, driver's license numbers, and license information (address, DOB, etc.). MORE

Almost 50% of proof of stake nodes for Ethereum were attributed to just two people recently. Hopefully that will open up soon, but there's no guarantee that it will. We should all watch closely when something designed to be decentralized ends up consolidating into just a few hands. MORE


Zoom went down last week, giving tens of thousands of users a mini-vacation. Unfortunately it's back up now. MORE

Google has canceled half of its R&D projects at Area 120, its internal R&D group. This is part of Google's general push toward waste-cutting. MORE

Twillio laid off 11% of its staff in a move to become profitable in 2023. That's around 850 people. As we see so many startups doing this due to over-aggressive hiring in 2018-2020, one question is how much of that lesson we'll retain in the next boom. Will companies remember this and hire more slowly next time? MORE

Cloudflare is moving its main reverse proxy tech from NGINX to an in-house, Rust-based system called Pingora. They're serving over a trillion requests per day now, with better performance, and supposedly using only a third of the CPU and memory resources. MORE


The founder of Patagonia has given away the company. He donated the entire thing to a set of trusts so that all future profits will be used for environmental causes. MORE

US mortgage rates are now over 6% for the first time since 2008. MORE

A bunch of semi-rich people (software engineers and others) are paying upwards of $75,000 to have 3-6 inches added to their height. They basically break the leg and extend it using traction. Reads a bit like marketing to me, but this offering will no doubt be copied. MORE

Japanese researchers have discovered the perfect way to put a baby to sleep. The algorithm is: walk with them for five minutes, sit and wait with them for 5-8 minutes, and then lay them down in bed. The trick is the second step which avoids going from walking to bed, which wakes them up. MORE

A new study has indicated that getting calories earlier in the day is better for weight loss than getting them in the evening, with the hypothesis being that it resulted in less feeling of hunger. MORE


✍️ My mom died on Saturday. SAYING GOODBYE


If I owe you anything in the last week, or in the week to come, I'm going to be only partially responsive. Lots of family stuff going on. Apologies for the delay.

Errata: Last week we pointed to a tweet and said that Emily Metcalfe, former employee on the Patreon security team, said she would not trust her data there. This was incorrect. It was Whitney Merrill, the author of the tweet talking about Emily's LinkedIn post who said that, not Emily. I am very sorry for this error.


⚙️ RECON | requests-ip-rotator (572⭐️)
A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing. TOOL | by George0

⚙️ PENTESTING | Redeye (92⭐️)
Redeye is a GUI tool to share which systems have been compromised within a team. It shows overview information about all systems, and also deeper info on each target. TOOL | SCREENSHOT | by Redeye

⚙️ CLOUD SECURITY | CloudFox (567⭐️)
CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure. TOOL | BLOG | by Bishop Fox

⚙️ AUTOMATION | sd (199⭐️)
sd organizes your scripts into a clean structure for execution. TOOL | BLOG | by IanTheHenry

⚙️ MOBILE HACKING | A Basic Guide to iOS Testing in 2022 
A prescriptive guide to testing iOS in 2022. TUTORIAL | by BugCrowd

⚙️ AI ART | DiffusionBee
DiffusionBee is the easiest way to run Stable Diffusion locally on your M1 Mac. Comes with a one-click installer. No dependencies or technical knowledge needed. DOWNLOAD

🔥 The security and privacy features new in iOS 16. MORE | MORE

"Browser extensions are not a fucking collectors item you psychos stop installing them you are installing a remote control portal into every page you open holy shit." This was followed by, "Here's a list of 6 kinds of needles you can find on the ground and re-use today". TAY'S TWEET

A list of strong CI/CD and SRE blogs. MORE

Learn things by writing them out by hand. MORE

This is a really cool way to promote people who are looking for a job. The whole blog is slick, too. MORE


Take your parents' current age and subtract it from 76 or so. That's how many years they might have left. Now divide that by how many times in a year you see them. So let's say they're 65, and you see them twice a year. That's around 20 times you'll see them again. 20. That's a small number. And if you only visit once a year, that's 10. Or if they're sick or older, maybe 5 or less. Now ask yourself two things: 1) how you want to spend those last visits?, and 2) do you want to make any changes to increase the number? (Thanks to Sahil Bloom for this reminder).


"Grief is the price we pay for love."

Queen Elizabeth II