Exploring the intersection of security, technology, and society - and what might be coming next...
Standard Web Edition| Ep. 269 | February 22, 2021
SECURITY NEWSThe US has announced charges against three North Korean government hackers who they say are responsible for the Sony hack, WannaCry, and a number of digital bank thefts. They reportedly work for the Lazarus Group, or APT 38. More
Several users of the Egregor ransomware service have been arrested by French and Ukrainian police. These aren’t the creators of the system, but customers. The service is really a SaaS platform allowing cybercriminals to attack targets with ransomware without having to build the infrastructure themselves. More
Let’s Encrypt has finished a massive upgrade of its systems that would allow it—if it every became necessary—to rip and replace its entire portfolio of 200 million certificates in less than 24 hours. I think this is smart. How many other companies could replace their entire infrastructure with trusted certs in one day? I love the ‘plan for the worst’ resilience thinking here. More
Dropbox has released a password storage and synchronization tool called Dropbox Passwords. More
Kenna says only 2.6% of 2019’s 18,000 tracked vulnerabilities were exploited in the wild. So that’s around 473 vulns, and only like 6% of those were used widely against more than 1% of organizations. The message from Ed Bellis and Kenna here is that the idea of the Wild West is not accurate, i.e., there are lots of vulns out there, but there are very few that matter. More
South Korea says North Korea attempted to steal COVID vaccine data from Pfizer. They said APT groups Zinc, Cerium, and Fancy Bear (Russian) were involved. More
China may be looking into restricting the export of certain rare earth minerals in order to harm America’s military capabilities. See the MCF strategy in the Analysis section below for more context. More
SAP NetWeaver has multiple vulnerable services related to auth. More
Vulnerabilities have been found in the file-sharing app Shareit. More
The California DMV says it may have lost up to 20 months of data after a ransomware attack at a contractor. More
It appears that Kia Motors America (Kia’s American Subsidiary) has been hacked, with a $20 million dollar ransom demand. Kia denied there was a ransomware attack. More
Underwriters Laboratories has suffered a ransomware attack that forced them to shut down operations to recover. More
Kroger had a third-party data breach that included customer and employee data. More
The law firm that represented Trump in his election challenge has been hacked, with 100GB of data stolen. More
CrowdStrike has purchased logging company Humio for $400 million. More
Palo Alto Networks has acquired DevOps company Bridgecrew for $156 million. More
TECHNOLOGY NEWSDatabricks is partnering with Google Cloud. More
Spotify is going to let people work from anywhere, but still pay them SF/NY salaries. (Salesforce too) More
It’s true that tons of people are leaving San Francisco, but a reporter at the SF Chronicle found that most are just moving to Bay Area suburbs, not leaving the area. The top three destinations were Alameda, San Mateo, and Marin counties, the top six were all suburbs, and the top 15 were all in California. More
Google has fired another AI Ethicist, and it’s a bad story no matter what. Either they’re an Evil Empire that keeps getting discovered or they’re really bad at hiring (or some combination thereof). And don’t forget Tristan Harris, the UI Ethicist who said he was ignored and pushed out for telling them what they didn’t want to hear. More
Ally.io raises $50 million in the OKR market. More
HUMAN NEWSResearchers were able, for the first time, to communicate with someone while they were lucid dreaming in REM sleep. Communication was basic, but they could do things like give the answer to eight minus six by moving their eyes in a particular way. More
According to a new study out of Dartmouth and Warwick, 11% of white, middle-aged people with no college education reported “extreme mental distress”, which is defined as having serious emotional problems and mental distress for every one of the last 30 days. Eleven percent. That’s almost double the percentage for non-whites with no college. And the rates have more than doubled since 1993. But back then it was the non-whites who had the higher percentages of distress, and now it’s whites. How and why did that invert? Answer that, and why their rates are double, and I think you’ll be close to figuring out why domestic terrorism is all poor white people, too. Hint: they don’t feel valued or respected in society, and they’ll do anything to get that feeling back. More
92% of NYC restaurants could not pay rent in December. More
A third of US troops are refusing the COVID vaccine. More
62% of Americans say we need a third political party. More
Mount Sinai is opening a psychedelic research center. More
A study out of UC Davis indicates that most bullying takes place among friend groups as a mechanism for jockeying for popularity. More
CONTENT, IDEAS & ANALYSISChina’s MCF Strategy — Anyone who wants to understand China’s strategy for long-term success/dominance needs to understand their concept of Military-Civil Fusion (MCF). It’s the strategy of unifying the goals of its military and industry worlds so that they work together and support each other. In short, removing the boundaries between Chinese military interests and Chinese economic interests in the longterm. Foreign governments have seen MCF as a threat, since it seems logical that it would mean using Chinese corporations and startups to help further their military goals. This basically means treating any interaction with a Chinese company as if you’re dealing with the Chinese state, and, unsurprisingly, that’s exactly the dynamic the west has seen developing over the last several years. More
Facebook, Google, and Australia — This whole thing with Facebook and Australia is fascinating. Basically, Australia is complaining because its newspapers are being destroyed/replaced by social media. But the trick is, the news is still being produced by media outfits—it’s just not being consumed via newspapers or TV. So media groups are putting in all the effort while companies like Facebook get all the viewership benefits, and the profits that come with them. So, Australia is being Australia and saying no mas. They’re requiring Facebook and Google to pay media companies for showing their content on their platforms. Google agreed. Facebook didn’t. So the question is, 1) what’s “right” in this situation, and 2) what’s the trend likely to be moving forward?
Building a Life Dashboard — I’m starting a big life project for myself, which is tracking my overall life metrics around everything that matters to me. This will be a book someday. Basically, a life dashboard. The types of metrics I want to include are pretty exhaustive, and they go from the trivial to the ultimate meaning of being on the planet. Examples include: books read, friends called, side income generated, times I’ve given thanks, random kind acts performed, website traffic, calories consumed, number of workouts, BMI, resting heart rate, masters degree yes/no, nest-egg target hit (yes/no), etc. It’ll be hundreds of metrics. And here’s the cool part. I’m going to automate the shit of this. And build my own dashboard using Dashing.io or Tableau, and have it available as a mobile interface on my phone as well as displaying it prominently on the wall at home. The process starts with defining my life goals, which are informed by my entire life and everything I’ve ever read and experienced. And they will be regularly revisited as well. And then the metrics flow from there (I’m currently in the dashboard design phase), and I’ll keep them right in my face constantly. The idea being, iif you know what you want, you should capture that and work actively towards it. And that’s precisely what I’m going to do. I’ll have some mock-ups to show soon.
Enhancing my Automated Web Testing Stack — I’ve been working more on my ever-evolving web security testing methodology, and—more importantly—the automation stack that powers it. The tools in this space just keep getting better, and Project Discovery has lifted the bar for everyone. What I’m working on now is a rewrite of what I described in my Red Team Villiage DEFCON talk from last year, where I break every assessment into small, discrete pieces. I’m redoing my current structure using tools like: ffuf, unfurl, ipinfo.io, host.io, meg, gf, httprobe, anew, nuclei, mapcidr, etc. And I may be soon adding axiom to that mix, if I can figure out how to control costs for spinning up multiple boxen. Like I talk about in that talk, what I’m basically doing is making a massive list of questions that I would want to know about a company, or a URL, or an IP, or a CIDR range, and saying, “Go answer all those questions for me, now…BOOM!”. That starts up like 20 mini processes that kick off and all feed off each other to answer those questions. Many run in parallel, and some wait for others to complete before they start. And within a few seconds, or minutes, I will then know all the domains associated with a company, all their websites, which are likely to be high risk, which have web vulns, which have certs that are about to expire, which have open ports listening, which have weak authentication, and a hundred other questions. And all I did was press GO with a single input parameter! Along with my metrics project above, this is my other major technical project I have going on. But it’s kind of a perpetual project that I’m just heavy into right now. I’ve been optimizing this stack for like 8 years or so.
Continuous Improvement — You may notice that these two efforts above have something in common. The unifying theme is something I wrote about in my book, which I called DOM, or Desired Outcome Management. The idea is to know what you want, to set up continuous monitoring of that thing, and then to use new knowledge and the results of monitoring to make/recommend changes to our behavior. Rinse and Repeat. GOALS –> MONITORING –> UPDATE GOALS –> UPDATE BEHAVIOR –> MONITORING –> REPEAT. This works for improving your retirement nest egg, your health, or your web testing methodology. And the mechanism I use to power all of this is QUESTIONS. What are you trying to accomplish in your life? How would you know you were successful? How would you know you’re healthy? What do you need to know about a site to determine it’s insecure? What about a website—if it were true—would prompt you to make an immediate change? Those are not just the questions I care about, but the questions that I intend to CONTINUOUSLY ask, in perpetuity. And if they ever become stale, I will replace them with better questions. That’s part of the process. This is continuous monitoring and continuous optimization turned into an actual methodology. So that’s what I’m on about.
Throwing Away Trees — You want to know a liberal, big-government, pro-environment policy that I would LOVE to see? A BAN ON PAPER JUNK MAIL. I’d vote for that shit instantly. Tweet This
California Has a Texas Problem — A lot of people are making fun of Texas right now for not being able to handle cold weather. But I live in California, and here we have rolling blackouts in the summer (soon to be spring and fall?) because we can’t handle the heat. It’s embarrassing in both cases. Rolling blackouts should not be part of the conversation for the richest country in the world in 2021. Tweet This
NOTESThank you for all the input on products and services that you love. I’ve found a few great ones through everyone who submitted, which I’ll be mentioning over time as I get a chance to use them. And please keep them coming!
I’m about to add a Metrics section to the show. I’m looking to have key metrics such as unemployment, home sales, life satisfaction, and certain temporary items we care about as well (like COVID stats). Do you like the idea? What other metrics would you like to see in that section?
For this metrics section, I’m going to build my own automated workflows for capturing them continuously, and I’ll post them somewhere on the site. Maybe at /metrics or something.
Some of these entries in the Ideas/Content/Analysis section are getting rather long, but I think I’m ok with it. The new header tells you what it’s about, and you can either skip it or consume it in around 2 minutes. And I can turn them into full essays on the site if I want to later. Let me know what you think.
I’m reading The Second Mountain, by David Brooks. It’s extraordinary. I’m about to directly recommend this book to like 10 of my close friends. More
DISCOVERY OURA Ring — I’ve tried a lot of wearables in my time, and other than my watch I’ve never stuck with one for more than a couple of weeks. The OURA Ring is the exception. I wear it every day and every night, which gives me sleep tracking without having to wear my watch or install one of those silly bed covers. More
X-1 Ultralight Titanium Knife — This is my EDC knife, and I absolutely love it. It does two things for me: 1) minimalism, and 2) never needing sharpening because it uses utility razor blades. More
Summarize IPs — An ipinfo.io service that shows you data on provided IPs, such as their ISPs, country of origin, geographical location, type of business, etc.—with visualizations. More
Cloudlist — A utility from Project Discovery that pulls hostnames and IPs from your cloud providers so you can scan them. More
MapCIDR — A utility from Project Discovery that breaks up a CIDR range into multiple pieces based on definable criteria. More
BBScope — A tool that will give you the approved scope for a bug bounty program. More
Bookfeed.io — A tool that lets you specify a list of authors and get an RSS feed of their latest releases. More
PaperKarma — Reduce your postal junk mail by taking a picture of the sender’s address. More
I Miss My Bar — Recreate your favorite bar scene using a website. More
Reddit is America’s Unofficial Unemployment Hotline More
AI has finally given us a remaster of Never Gonna Give You Up in 4K. More
RECOMMENDATIONSAsk yourself, very seriously, at the scale of your entire life—What would you do if you weren’t afraid? Would you be with the same person? Would you have the same job? Would you even be in the same industry? Do you know your ideal pursuit or lifestyle? Ok, so now that you have that in your mind…how can you face those fears and move towards your ideal life? Interviews with dying people reveal that most don’t regret what they did. They regret what they didn’t do. Don’t be that person.
APHORISMS “Humility is the awareness that you are an underdog in the struggle against your own weakness.”