STANDARD EDITION | EP. 243 | August 24, 2020
Why InfoSec Creators Should Move to Direct Support Monetization More >
How to Initiate Contact With a Mentor More >
What They Don't Tell You About Being a Bounty Hunter or Content Creator More >
Algorithmic vs. Faith-based Learning More >
SECURITY NEWS
Facebook is threat modeling various scenarios where the current administration attempts to dispute or spread disinformation regarding the 2020 election results. They've even discussed a "kill switch" that can turn off all political ads on election day. More >
Joe Sullivan, the former CISO of Uber, has been arrested for trying to cover up the 2016 data breach that exposed 57 million drivers' and customers' data. Regardless of the details of the case, I like what this sets as a precedent regarding the responsibility to report. More >
California's DMV is selling data to 98,000 different groups, including private investigators, bail bondsmen, and insurance companies. It's one thing to have a privacy problem for voluntary services like Facebook and Google, but what do you do when the government forces you to surrender your data, which they then use to make a profit? More >
The US Army says many North Korean hackers attack from outside North Korea. More >
A naturalized US citizen, born in Hong Kong and who worked for the CIA and FBI, was arrested Friday for selling secrets to China. The best part is how he got caught. The FBI impersonated his Chinese spy HR department, basically, and asked him what all he had done and what his goals were. He told them everything, including that he wanted "the Motherland to succeed". More >
Soundarya Ramesh and her team have found a way to recreate a key by listening to it open a lock. And all you need is a smartphone recording. More > Demo >
Alexei Navalny, an outspoken Russian opposition leader, was poisoned on a flight and is now on a ventilator. It's remarkable to me that everyone knows Putin kills his political opponents using poison. It's common knowledge and the international community seems uninterested. More >
An AI beat a human in an F-16 dogfight again. More >
Vulnerabilities:
Microsoft issued out-of-band fixes for Windows 8.1 and Server 2020 R2. More >
A Jenkins Server vulnerability (CVSS 9.4) could result in data disclosure. More >
Breaches:
Experian reported a breach that exposed data on around 24 million South Africans and 800,000 businesses. More >
240,000 records were stolen from the Utah Gun Exchange, including emails, usernames, and passwords. More >
Ransomware:
Jack Daniels says they repelled a ransomware attack, but REvil has posted data they say they took from them. More >
The University of Utah paid almost $500K in ransom to get back its student and employee data. More >
Konika Minolta was hit in July, but they said it didn't affect their All Covered MSP. More >
Disinformation:
Facebook has removed 790 QAnon groups. More >
Companies:
Palantir's S-1 leaked last week and it reveals some truly strange numbers, including the fact that they've been in business for decades yet only have 125 customers. They also lost almost half a billion dollars in 2019, and almost a third of their revenue comes from its top 3 customers. More >
Cobalt.io secured a $29 million dollar Series B. Way to go, Caroline Wong and team!
SenseTime is China's largest facial recognition startup, and it got banned by Trump in 2019. But now it's now thriving (projecting 80% revenue growth in 2020) due to sales to local governments in China for COVID monitoring. More >
TECHNOLOGY NEWS
A company called Hour One has raised $5 million to use AI to generate synthetic characters from real humans. They can be programmed to say anything as that person. This is massive. This is basically the creation of peoples' digital avatars, and the actual manifestation of Deepfakes that everyone has been waiting for. More > Demo >
Tesla wants to use radar to detect kids inside hot cars. More >
QR Codes are making a serious comeback amid COVID. More >
A UC Berkeley student used GPT-3 to generate some blog posts, and one of them got to the front page of Hacker News because people thought it was 1) real, and 2) great. More >
Oracle is now one of the companies trying to buy TikTok's US operations. More >
Amazon is adding 3,500 tech and corporate jobs across 6 US cities. More >
HUMAN NEWS
Finland showed the results of a 2-year basic income experiment, and unemployed people who received the guaranteed income reported being happier and actually worked more days per year than those who did not. More >
Japan's GDP fell by almost 8% in Q2. More >
IDEAS, TRENDS, & ANALYSIS
How China Surveils the World — A brilliant interview-style discussion of how China sees big data and what they're doing with it. Read this and then remember that they have Equifax data, OPM data, Marriott data, and countless other similar datasets. They're playing the long game here of deeply knowing targets, even if they won't actually be targets for decades to come (see TikTok). More >
I had a particularly nasty idea for a ransomware tactic: present your findings as a bounty report, where you're asking for payment for the legitimate issue you've discovered. In other words, don't use any "compromise" language so that the leadership of the company can plausibly deny that anything bad happened. Then, if that doesn't work, they switch to the normal language of, "We've got your stuff. Pay us." This is such a good idea I can guarantee lots of groups are doing it already.
The TikTok Ban is Overdue More >
Thinking of yourself as a separate entity (like inside and outside of work) can reduce anxiety and improve your confidence and determination. More >
Blockchain, the Amazing Solution for Almost Nothing More >
UPDATES
Here's the DEFCON video of my talk, Mechanizing the Methodology, including a link to the slides. More >
The length of the show has been growing again. Not only have I had many stories lately, but some of the comments have been fairly long-form, i.e., large paragraphs as opposed to 1-3 sentences. I think I'm going to try to adjust that back a little so the show remains easy to get through, and highly curated. Especially in the newsletter form. I mean, it's already curated from thousands of articles to a few dozen, but I think I can do better. My main thing is I don't want to feel like I'm giving someone a ton of work when they read the newsletter. Please reply with your preference if you feel strongly about this in either direction.
I really want to create a list of every book I've read that gets auto-updated using Amazon Kindle/Goodreads. It looks like this will be the path. I might outsource it just to save time, or I might just do it myself in Python 3 this week. API >
DISCOVERY
There's a new coffee brewer called the Ratio Eight. I kind of want one, but I already have like 9 ways to make coffee, and it's like $500. It's an intelligent Chemex machine, basically. Intriguing. I'm very happy they're out of stock right now. More >
@hakluke > posted a great tutorial on OWASP Amass. More >
Log and Time Series data are not the same. More >
Kapow — Turn a shell command into an API. Cool! Also, yikes. More >
Intel Owl — Threat Intelligence on a file, IP, or domain. More >
SpaceSiren — A honey token manager and alert system for AWS. More >
MITRE Shield — A mapping for ATT&CK to defenses. More >
Draw — A collaborative whiteboard. More >
A really nice collection of online tools for various tasks. More >
RECOMMENDATIONS
I really enjoyed this podcast series by Kevin Roose, called Rabbit Hole. It's all about the effect of the internet on people. Specifically, how it can pull people in increasingly extreme directions via algorithmic recommendations. It covers PewtiePie, QAnon, and other major events in internet history. More >
APHORISMS
"The tyranny of a prince in an oligarchy is not so dangerous to the public welfare as the apathy of a citizen in a democracy."
~ Charles de Montesquieu