Get the podcast on Apple Podcasts
×

DanielMiessler

search
Login Become a Member Subscribe
Exploring the intersection of security, technology, and society—and what might be coming next...
Standard Web Edition | Ep. 312 | January 2, 2022

SECURITY NEWS
The log4j fiasco has continued through the holidays, with a new RCE being found in 2.17. As I mentioned in a previous piece, however, everything after 2.15 (so far) has required a non-standard logging configuration be present in order for you to be at risk. My recommendation on all of this is to use this opportunity to invest in asset management—not just for your web applications and the libraries they run, but for all your tech stacks. For example, what would you do if PHP X.x had a major vulnerability tomorrow? Or WordPress. Or Django. Be ready before you have to answer those questions on a 1 AM call. More

Covid is hitting hard right now due to Omicron being so transmissible, but the good news is that it does seem less severe for most. Experts are saying it’s likely to peak around the middle of January, and the future will depend on 1) new variants and how transmissible or dangerous they are, vs. 2) the efficacy of our new vaccines and our new treatments, including Merck’s newly approved antiviral pill. The fact that Omicron cuts so effectively through both vaccines and masks has complicated the debate about precautions and lockdowns. So the question is what future variants will look like, and how effective our defenses will be. 

CISA has released a scanner to find apps vulnerable to the log4j vulnerability. The tool supports lists of URLs, fuzzing more than 60 request headers, fuzzing of POST data, fuzzing of JSON parameters, WAF bypass, and DNS callback for discovery and validation. More | The Tool

Crowdstrike researchers have found a Chinese APT group using log4j vulnerabilities in VMWare to target at university for sensitive IP. More

AirTags are being used to stalk people, which isn’t really a surprise to anyone who’s been paying attention. Apple has built some solid features for defending against this, but those features only reduce some of the risk. I think the long-term solution to this will be, 1) Apple creating increasingly visible alerts on nearby devices, 2) wider awareness and use of AirTag-like device detection apps, and 3) deeper integration of these detection/notification features into iOS and Android. More

China’s Ministry of Industry and Information Technology has suspended Alibaba Cloud for not reporting its log4j issues to it quickly enough. Yet another piece of straw on the camel that is corp vs. government tension in China. More

Incidents: 
  • T-Mobile has had another, smaller data breach after the large one in August. This one involved just a “small” number of customers of possible SIM swapping attacks affecting them.
Companies:
  • Noname Security has raised $135 million to proactively lock down APIs. More

TECHNOLOGY NEWS
HTTP3 is coming. First Web3, now HTTP3. So what’s the difference? TL;DR is in 1.1 we had one file being downloaded at a time, then in HTTP/2 we had the ability to open multiple connections and do them in parallel, and now in HTTP/3 we’re switching protocols from TCP to QUIC, which eliminates bottlenecks even further. HTTP/3 is fast! And it’s even faster at long distances. We’re talking between 600 and 1200ms faster for loading from London vs. New York. More | Metrics

TikTok has passed Google as the most popular online destination. That’s stunning to me. Ready Player Me is a company trying to be the Gravatar of visual avatars in the metaverse. Cool name. The nerd in me wonders how this will work, though, since some metaverses will require me to be a furry, or a vampire. So I don’t see how you’re going to use one avatar everywhere. More

The Pixel 6 launched two months after the iPhone 13, but after just a month it lost 43% of its value compared to just 25% for the iPhone. More


HUMAN NEWS
San Fransisco’s mayor, London Breed, has declared a state of emergency to address rampant crime in the city. More

Studies are suggesting that Omicron is less severe than previous Covid strains because it largely avoids the lungs. More

Lake Tahoe saw over 17 feet of snow in December, which was much welcomed. We’ve had tons of rain in the Bay Area, and it’s been wonderful. More


CONTENT, IDEAS & ANALYSIS

Losers Exist, Don’t Hire Them — A brilliant piece by Bryan Goldberg that I’m reposting because it fell off the internet. It’s about my favorite types of interview questions, and why they’re so effective. More

Comparing My Top 4 Security Podcasts/Newsletters — The four podcasts/newsletters I recommend to people, and how they’re different. More

A Stock Market Correction is Coming, and That’s Ok — A short piece on why I think it’s ok to be in the stock market, as long as you’re there long-term. More

My Predictions for Crypto — How I see things playing out for the space, with a couple of main paths. More

What to Do Instead of New Years Resolutions — I don’t like resolutions, but I do these things instead. More

Metaverse — “If you want to understand the metaverse, think of it using a different name: “A technology-powered place where people can construct alternate versions of themselves and engage in activities that make them feel valued and give them a sense of meaning.” RetweetTweet

Asset Management — “This week the internet has learned—once again—that asset management is the center of security. It’s hard to patch what you can’t find.” Retweet | Tweet

Viral TikTok Disorders — There’s a disturbing trend happening on TikTok where teens are looking at viral videos about disorders and then coming to believe they’re suffering from them. One example is posts with the hashtag #disassociative identity disorder. I think this is particularly dangerous because teens are very sensitive to explanations for their hardships. They struggle enough as it is, then you add social media and a pandemic to it, and I think they’re basically looking for explanations for their pain and suffering. So if you offer them one, they’re likely to accept it—perhaps without even knowing—and could even start exhibiting those symptoms without having the actual disorder. I think that’s a safe assumption, but of course it’s hard to know the difference, either as the kid or as a parent or doctor. If you’re a parent you might want to watch for this sort of thing. It’s a powerful force when an entire peer group tells a kid that they are something, or that they have some problem. They might just believe it. More


NOTES
Welcome to 2022. Not sure what to expect, but I can tell you I’m glad you all are on the same ride I’m on. 🙂

December’s Book Club for Good Strategy, Bad Strategy will be this coming Sunday at 2 PM PST!

Movies — Spiderman: 8/10, Matrix: 4/10.


DISCOVERY

Sponsored Discovery


As a UL member I am excited to invite you to a FREE training on Soft Skills for a Threat Modeler.

Everybody knows how to do some basic threat modeling. But we often overlook the crucial soft skills necessary to turn an average meeting into an exciting workshop.

In a 1-hour training on January 10th, you will:
  • Learn the necessary soft skills to become a threat modeling master
  • Discover Maslow’s hierarchy of threat modeling
  • Sharpen your existing threat modeling skills
— Seba Deleersnyder, CTO Toreon, threat modeling trainer at Black Hat USA (last 5 years)
 

Balaji posted a fascinating visual showing China’s deep involvement in Africa. 46 African states with Belt & Road deals, 22 Chinese-built ports / free trade zones, and 8 special economic zones. More

Visualizing the $94 Trillion world economy in one chart. More

A New York Times poll on the best books of the past 125 years. I’m going to be reading a ton of these, and recommending a couple for the UL Book Club in 2022!. More

10 Years of Logging My Life More

Feynman’s method for becoming a genius. More

Twilio’s List of the Security Metrics That Matter the Most More

“Why did we call it a booster shot instead of a sequel injection?” More


RECOMMENDATION
If you’re someone who always has a dozen projects going, consider trying to do fewer things in 2022, but do them better. In order for projects to have an impact, you have to 1) ship them, and 2) ship them with an adequate level of quality. 


APHORISM
“Thus, all ads effectively have two audiences: potential product buyers, and potential product viewers who will credit the product owners with various desirable traits.”

Geoffrey Miller, Spent: Sex, Evolution, and Consumer Behavior
DanielMiessler
© Daniel Miessler 1999-2023


Security, Tech, and Society in 10 Minutes
20 hours of reading and analysis condensed into a 10-minute summary every Monday morning.


Join 55,000+ readers who see the patterns in the noise.