| SECURITY NEWS|
The log4j fiasco has continued through the holidays, with a new RCE being found in 2.17. As I mentioned in a previous piece, however, everything after 2.15 (so far) has required a non-standard logging configuration be present in order for you to be at risk. My recommendation on all of this is to use this opportunity to invest in asset management—not just for your web applications and the libraries they run, but for all your tech stacks. For example, what would you do if PHP X.x had a major vulnerability tomorrow? Or WordPress. Or Django. Be ready before you have to answer those questions on a 1 AM call. More
Covid is hitting hard right now due to Omicron being so transmissible, but the good news is that it does seem less severe for most. Experts are saying it’s likely to peak around the middle of January, and the future will depend on 1) new variants and how transmissible or dangerous they are, vs. 2) the efficacy of our new vaccines and our new treatments, including Merck’s newly approved antiviral pill. The fact that Omicron cuts so effectively through both vaccines and masks has complicated the debate about precautions and lockdowns. So the question is what future variants will look like, and how effective our defenses will be.
CISA has released a scanner to find apps vulnerable to the log4j vulnerability. The tool supports lists of URLs, fuzzing more than 60 request headers, fuzzing of POST data, fuzzing of JSON parameters, WAF bypass, and DNS callback for discovery and validation. More | The Tool
Crowdstrike researchers have found a Chinese APT group using log4j vulnerabilities in VMWare to target at university for sensitive IP. More
AirTags are being used to stalk people, which isn’t really a surprise to anyone who’s been paying attention. Apple has built some solid features for defending against this, but those features only reduce some of the risk. I think the long-term solution to this will be, 1) Apple creating increasingly visible alerts on nearby devices, 2) wider awareness and use of AirTag-like device detection apps, and 3) deeper integration of these detection/notification features into iOS and Android. More
China’s Ministry of Industry and Information Technology has suspended Alibaba Cloud for not reporting its log4j issues to it quickly enough. Yet another piece of straw on the camel that is corp vs. government tension in China. More
HTTP3 is coming. First Web3, now HTTP3. So what’s the difference? TL;DR is in 1.1 we had one file being downloaded at a time, then in HTTP/2 we had the ability to open multiple connections and do them in parallel, and now in HTTP/3 we’re switching protocols from TCP to QUIC, which eliminates bottlenecks even further. HTTP/3 is fast! And it’s even faster at long distances. We’re talking between 600 and 1200ms faster for loading from London vs. New York. More | Metrics
TikTok has passed Google as the most popular online destination. That’s stunning to me. Ready Player Me is a company trying to be the Gravatar of visual avatars in the metaverse. Cool name. The nerd in me wonders how this will work, though, since some metaverses will require me to be a furry, or a vampire. So I don’t see how you’re going to use one avatar everywhere. More
The Pixel 6 launched two months after the iPhone 13, but after just a month it lost 43% of its value compared to just 25% for the iPhone. More
San Fransisco’s mayor, London Breed, has declared a state of emergency to address rampant crime in the city. More
Studies are suggesting that Omicron is less severe than previous Covid strains because it largely avoids the lungs. More
Lake Tahoe saw over 17 feet of snow in December, which was much welcomed. We’ve had tons of rain in the Bay Area, and it’s been wonderful. More
CONTENT, IDEAS & ANALYSIS
Losers Exist, Don’t Hire Them — A brilliant piece by Bryan Goldberg that I’m reposting because it fell off the internet. It’s about my favorite types of interview questions, and why they’re so effective. More
Asset Management — “This week the internet has learned—once again—that asset management is the center of security. It’s hard to patch what you can’t find.” Retweet | Tweet
Viral TikTok Disorders — There’s a disturbing trend happening on TikTok where teens are looking at viral videos about disorders and then coming to believe they’re suffering from them. One example is posts with the hashtag #disassociative identity disorder. I think this is particularly dangerous because teens are very sensitive to explanations for their hardships. They struggle enough as it is, then you add social media and a pandemic to it, and I think they’re basically looking for explanations for their pain and suffering. So if you offer them one, they’re likely to accept it—perhaps without even knowing—and could even start exhibiting those symptoms without having the actual disorder. I think that’s a safe assumption, but of course it’s hard to know the difference, either as the kid or as a parent or doctor. If you’re a parent you might want to watch for this sort of thing. It’s a powerful force when an entire peer group tells a kid that they are something, or that they have some problem. They might just believe it. More
Welcome to 2022. Not sure what to expect, but I can tell you I’m glad you all are on the same ride I’m on. 🙂
December’s Book Club for Good Strategy, Bad Strategy will be this coming Sunday at 2 PM PST!
Movies — Spiderman: 8/10, Matrix: 4/10.
As a UL member I am excited to invite you to a FREE training on Soft Skills for a Threat Modeler.
Everybody knows how to do some basic threat modeling. But we often overlook the crucial soft skills necessary to turn an average meeting into an exciting workshop.
In a 1-hour training on January 10th, you will:
Balaji posted a fascinating visual showing China’s deep involvement in Africa. 46 African states with Belt & Road deals, 22 Chinese-built ports / free trade zones, and 8 special economic zones. More
Visualizing the $94 Trillion world economy in one chart. More
A New York Times poll on the best books of the past 125 years. I’m going to be reading a ton of these, and recommending a couple for the UL Book Club in 2022!. More
10 Years of Logging My Life More
Feynman’s method for becoming a genius. More
Twilio’s List of the Security Metrics That Matter the Most More
“Why did we call it a booster shot instead of a sequel injection?” More
If you’re someone who always has a dozen projects going, consider trying to do fewer things in 2022, but do them better. In order for projects to have an impact, you have to 1) ship them, and 2) ship them with an adequate level of quality.
“Thus, all ads effectively have two audiences: potential product buyers, and potential product viewers who will credit the product owners with various desirable traits.”
— Geoffrey Miller, Spent: Sex, Evolution, and Consumer Behavior
Exploring the intersection of security, technology, and society—and what might be coming next...
Standard Web Edition | Ep. 312 | January 2, 2022