Exploring the intersection of security, technology, and society—and what might be coming next...
Standard Web Edition| Ep. 313 | January 10, 2022
SECURITY NEWSWeb3 and NFT Analysis — Moxie Marlinspike wrote a brilliant piece last week on Web3 and NFTs. Web3 is such a major topic I thought it was worth covering in-depth and in the security section. The biggest point of his piece, at least to me, was that there’s generally no mechanism for ensuring the integrity of NFTs. He created his own example NFT which was just a link to a web server, and then he proceeded to modify and delete what existed there. The result was that he could have an NFT in a wallet one moment, delete it off his server, and the NFT would disappear from the wallet! The second major point, which is larger in scope, is that Web3 is all based on servers, not on clients, and people don’t want to run their own servers. This means there will be tremendous pressure for big companies to run most of the servers—aka most of Web3. The overall takeaway for me was very “I don’t think that word means what you think it means” in the sense that most people believe blockchain and Web3 have this powerful integrity built-in. Right now. Today. Moxie demonstrated very clearly, both with prose and with examples, that this is not the case. This doesn’t mean Web3 is lost by any means, but it does give one pause when hundreds of billions of dollars are being thrown around in NFTs and Web3 based on assumptions that aren’t currently true. More | One Response to Moxie
A North Korean cyberespionage group called Konni has been linked to attacks on the Russian Federation’s Ministry of Foreign Affairs. These attacks started with credential stuffing and then loading malware to steal intelligence. More
Venture funding in the cybersecurity space crossed $20 billion in 2021, and the last quarter set a new quarterly record of $7.8 billion. More
Part of the Pegasus spyware package has been uploaded by a security researcher to Github. More
QNAP has warned its users to get its NAS devices off the internet, and it’s given instructions on how to do so. This comes after months of repeated vulnerabilities affecting the devices. More
SSH 8.9 will include agent restriction, which will have two main functions: “a safe runtime store for unwrapped private keys, removing the need to enter a passphrase for each use, and a way to forward access to private keys to remote hosts, without exposing the private keys themselves.” More
The US military is working hard to counter the threat posed by hobbyist-level drones. The problem is that they’re both small and cheap, and you can strap explosives to them. Possible solutions range from lasers to microwave blasts. More
VMware has patched a bug affecting ESXi, Workstation, and Fusion | System Takeover More
WordPress has been updated to address multiple vulnerabilities | DoS More
The New York State Office of the Attorney General has warned 17 companies that 1.1 million customers have had their accounts compromised using credential stuffing. More
Google has purchased Siemplify—a late-stage Israeli company in the SOAR space—for around $500 million. More
TECHNOLOGY NEWSApple has become the first company to hit $3 trillion dollars in market cap. It was also the first to hit $2 trillion, and if it has any success with a rumored headset and car, it’ll probably be the first to $4 trillion. I attribute a lot of this to Tim Cook and his expertise in managing a supply chain. More
Blackberry devices stopped working on January 4th. For real this time. More
OpenSea, the largest NFT trading website, is now valued at $13 billion dollars. More
Twitter is rolling out a new test feature where people do video reactions to tweets, like TikTok. More
It’s been 15 years since Steve Jobs revealed the iPhone. I remember where I was that day, and what I was doing. It was a big day for me, and it lead to me becoming an Apple person when I was not at all before. More
HUMAN NEWSA record 4.5 million Americans quit their jobs in November. The number of open positions fell from 11.1 million to 10.6 million in October. More
Between 2009 and 2018, the proportion of adolescents reporting having no sexual activity (including masturbation) rose from 29% to 44% among men, and from 50% to 74% for women. More
The Mayo Clinic fired 700 unvaccinated employees due to noncompliance with vaccination policy, which is around 1% of its workforce. More
A nasal spray that prevents dementia is moving into human trials. It combines an antibiotic and resveratrol to combat plaques in the brain that are known to be associated with cognitive decline. More
1 out of every 153 American workers works for Amazon. More
CONTENT, IDEAS & ANALYSIS
The Unsupervised Learning Everyday Carry — Many have asked what my EDC is, i.e., what tools and gadgets I keep on my person and use every day. This member-only post answers that question and goes into why I use each item.More
Mentor vs. Nemesis — I enjoyed this piece on how many great people weren’t encouraged by mentors as much as they were energized by a nemesis. I see this dynamic a lot in life, where there is a health tension and competition between friends and peers in a particular space. The bug bounty space is a great example, where you have a lot of very smart hackers and creators putting out content. They’re friends, but they’re also competing. And some of them have one or more nemesis’ that drive them to be better. I’m not sure the right balance of positive and negative—of push and pull—but I do think that it’s natural to be driven by negative competition. I personally use a different tactic, which is competing with the best in the world, including people who are dead, and demanding that I get to that level.
The Usefulness of “Prepping” — A Tucker Max blog post about prepping blew up recently. It’s all about what you need to truly get ready for a massive crash, and what actually won’t work even though people think it will. I thought it was a good piece and it echoed my thoughts on the topic. The most important of which was that if you don’t have a community defense strategy, you don’t have a survival strategy. Meaning, you can have all the food stores you want, but if you can’t defend them from a group of men with guns, you don’t have much. My current methodology isn’t much modified by the piece, i.e., having enough to escape and survive for a few weeks while things go back to normal after a natural disaster or something similar. I still contend that if the US or the world economy fails, there’s nothing my bugout bag is going to do to help me. For that, you basically need a place in Idaho to meet your friends and start a new civilization. Note: a lot of the prediction and political stuff in the piece, I just don’t agree with. But I did find the preparation stuff thought-provoking. More
I vs. T-shaped People: Which Are Better For Which Jobs? — This was an interesting piece and discussion on Hacker News about someone who typically looks for I-shaped people (narrow and deep) vs. T-shaped people (broad and shallow), but who also happened to notice that most of their best projects had a good mix of both. I tend to look for people who are unicorns in this way: being mostly T, but with one or two I-like areas.
NOTESNot sure who’ll notice, but I simplified the newsletter design for this episode, especially around the header. If you noticed and cared, let me know what you think.
We had a great UL Book Club today discussing Good Strategy, Bad Strategy. The next book has been chosen and we even have the next couple picked out after that. Great discussion today, and can’t wait for the next one!
I continue to struggle with blatant plagiarism of my content online and am looking for a solution to it. If you all know of anything, please let me know. More
PlexTrac: The Purple Teaming Platform
PlexTrac is the premier cybersecurity reporting and workflow management platform. With PlexTrac, security service providers and teams of all sizes can cut report writing time in half, streamline workflows, improve collaboration and communication, and gain a real-time view of their security posture.
Head over to PlexTrac.com/UnsupervisedLearning to download our Writing a Killer Pentest Report white paper to learn how PlexTrac helps cybersecurity practitioners produce quality work faster so they can focus on winning the right battles
GovInfo RSS Feeds — A massive list of RSS feeds that let you track what the government is doing, from bills to budgets to congressional committee meetings, and more. More
The Wall — Near-real-time animations of geostationary satellites. More
Keyboard Drill — An elegant website that helps you learn to type faster. You give it a target WPM, and it drills you until you get that fast on various words. More
ffuf — My favorite web fuzzer, which is written in Go. More
nuclei — The future of vulnerability scanning (in my opinion). It’s YAML-based signatures for finding issues across multiple protocols. More
nuclei templates — A repository of check types that can be used with Nuclei. More
A TomNomNom Recon Tools Primer — A previous post of mine going over my favorite recon tools from @TomNomNom. More
RECOMMENDATIONSpend this time in January to lock in a solid daily routine. As James Clear says in Atomic Habits. We don’t rise to the level of our goals; we fall to the level of our systems. That means you need a good system. This is mine, which I spent like a week researching and writing during the holiday break. But it doesn’t matter so much which one you use. It matters more that you actually have one, and that you use it rather than relying on luck or hope. Find an algorithm that will get you to where you want to be, and follow it.
APHORISM“The three most harmful addictions are heroin, carbohydrates, and a monthly salary.”