Unsupervised Learning Newsletter NO. 347

TikTok Hack, Cloudflare Kiwi, Google OSS Bounty
🗞️ NO. 347 | SEP 6 2022
STANDARD EDITION

Hello,

I hope you're doing well.

SECURITY NEWS

TikTok Hacked?
A group called AgainstTheWest posted a message to a hacker forum claiming they have a 790GB database full of TikTok (and WeChat) data, including user data, auth tokens, etc. Despite the name, the group evidently targets groups that are against the West. TikTok has denied direct scraping, but the data could have many sources, including third parties. More | More

Cloudflare Drops Kiwifarms
Cloudflare finally dropped Kiwifarms, which has functionally become a real-world harassment platform largely aimed at the LGPBTQ+ community. They stated the reason was, "specific, targeted threats have escalated over the last 48 hours to the point that we believe there is an unprecedented emergency and immediate threat to human life unlike we have previously seen from Kiwifarms or any other customer before." More

Google Targets Open-Source Vulns
Google is starting a new bug bounty program called the Open Source Software Vulnerability Rewards Program (OSS VRP) centered around open-source vulnerabilities. The program pays out between $100 and $31,337 for bugs in Google's OSS project repositories hosted on Github, as well as related dependencies. More

US vs. Chinese Tech
The US is planning more limitations on Chinese technology advancement via executive order. The Biden Administration will limit how Chinese services collect US data and what kinds of technologies can be sold to China. This comes after last month's CHIPS act, which incentivizes US companies to build chip plants back home. More

Ubiquiti Not Hacked?
Brian Krebs has recanted his coverage of Ubiquiti being breached. Evidently what happened was a former employee stole tons of data and pretended to be an anonymous hacker, and he then sent Ubiquiti a $2 million ransom demand. He also went to Krebs, as one does, which added even more pressure to Ubiquiti. More

Montenegro Ransom
Montenegro got hit with Cuba ransomware and a $10 million demand as part of widescale cyberattacks on the country's infrastructure. The attackers are likely Russian, and the FBI is helping because Montenegro used to be a Russian ally and is now part of NATO. More

Joint Supply Chain Guidance
NSA, CISA, and ODNI have released new software supply chain guidance for developers, including how to develop secure code, how to verify third-party components, harden build environments, and do secure code delivery. More | Guidance PDF

Vulnerabilities

• 🪳CISA has released 12 Industrial Control Systems advisories for Hitachi, Honeywell, Fuji, Omron, PTC, Sensormatic, and Mitsubishi More

Incidents

• 📓 A database of 800 million Chinese faces and license plates has been leaked online after being extracted from insecure cloud storage. This is right after June's release of a billion Chinese police records. More

TECHNOLOGY NEWS

Tweet Editing
Twitter now has an Edit button, but it's quite limited. First: you only have 30 minutes to make edits. Second: people will be able to see that it was modified. And third: the history will be visible. People are both arguing it's not powerful enough, and that it's too powerful, so it sounds like a decent first attempt. More

Snap Cuts
Snap stock is down 80% for the year and it's reducing its workforce by 20% and going through another restructuring. It was hard enough fighting Instagram and Facebook, and now TikTok is on the field as well. More

More AI Art Craziness
It's getting hard to follow all the AI Art stuff, and people are understandably getting burned out on it. We had DALL-E, then Midjourney, and now we have Stable Diffusion. It's a lot. To me the biggest developments in the last week have been 1) DALL-E's Outpaining Tool that lets you fill in the stuff around an image. And when I say fill-in, I mean completely make up. Then 2) this Stable Diffusion demo showing integration with Photoshop. Truly scary in the exciting way. More | Stable Diffusion Deep-dive | SD Demo

Midjourney Wins Art Competition
Someone entered a piece of AI-generated art into a state fair competition and won first prize. People aren't happy, but I think the problem is one of definitions and rules. Competitions will soon have to be explicit about help from others, and help from AI. More

USB 4 Version 2
The new version of the USB protocol now allows up to 80GB/sec in transfer speed, which is twice that of Thunderbolt 4. And you can get to 40GB/sec using the USB cables you already have. More


HUMAN NEWS

The JWST has confirmed carbon dioxide on an exoplanet called WASP-39b. The planet is around 700 light-years away, and is something of a "hot Jupiter", being larger than Jupiter but closer to its star than Mercury. More

The new telescope also captured the first direct image of a planet outside the solar system. The planet is called HIP 65426 b, and it has between 6 and 12 times the mass of Jupiter, and it sits around 100 times further from its sun than we are from ours, which is how we're able to see it. More

New research shows that around half of cancer deaths, across 200 countries, are preventable, with the primary causes being smoking, alcohol, and obesity. This is a stunning statistic, and reminds me of the fact that over half of American gun deaths are suicides. More

US life expectancy dropped again, with Covid being the primary cause. Somewhat related, I was alarmed to see that the average life expectancy for Asian Americans was 83 years while it's 70 years for Black Americans—a stunning 13-year difference. More


CONTENT, IDEAS & ANALYSIS

Kiwifarms and Censorship
I get Cloudflare not wanting to censor their customers. Really, I do. But it's not "caving to censorship" to refuse to keep horrible sites on as customers. And when I say "horrible", I think we should have a definition. The logic is super clear here: 1) there are some things that should cause you to fire a customer, 2) the bar should be very high, 3) it should be obvious if that bar is met, and 4) the action should be swift. Cloudflare failed at pretty much all of these. They're being praised as heroes on the right for not giving into The Libs and censoring anything not Woke enough, and a line does need to be drawn there. But letting a platform basically dox and harass people, to the point of suicide, not as a random occurrence but as a matter of course, should damn sure trip the alarm. There's quite a lot of sunlight between "not Woke enough" and "trying to create suicide events in marginalized people". They need to articulate their principles into a clear policy and enforce it.
 

NOTES

This month's book in our UL Book Club is Steven Pressfield's new title, Put Your Ass Where Your Heart Wants to Be. I originally nominated, The War of Art, which is also by him, so we decided to read both. But I'm already done with both and have started reading all his other nonfiction books. So I'll have read like 4 or 5 by him by the time we get to book club. I love the way Pressfield writes. It's extremely approachable. He uses lots of chapters that can be as short as a couple of paragraphs each, and interestingly this is the style I prefer as well, and that I used when I wrote The Real Internet of Things. Really looking forward to book club this month.
 

DISCOVERY

⚙️ PORT SCANNING | Naabu (⭐️ 2.5K )
Naabu is my favorite port scanner for in-line checking for webservers, meaning you can chain it together with other pipe-enabled tools to form amazing one-liners. Tool | by Project Discovery

⚙️ RECON | Gorilla (⭐️ 273 )
Gorilla builds wordlists based on multiple criteria, including: patterns, formats, web page content, or existing list extension. Tool | by d4rckh

⚙️ WEB SECURITY | WPHash 
An index of WordPress plugin hashes. Tool 

⚙️ CONTAINER SECURITY | Lazytrivy (⭐️ 97 )
lazytrivy is a wrapper for Trivy that allows you to run Trivy without remembering the command arguments. Tool | by Owen Rumney | Owen's Twitter

⚙️ KUBERNETES SECURITY | Kubernetes OWASP Top 10 (⭐️ 286 )
The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. Tool 

📺 PURPLE TEAMING | Going Atomic @ Blue Team Con
The Strengths and Weaknesses of a Technique-centric Purple Teaming Approach. Presentation | by Alfie Champion | Alfie's Twitter

🔬 FORENSICS | Memlabs
MemLabs is an educational, introductory set of CTF-styled challenges in the field of Memory Forensics. Labs | by stuxnet999

🔭 Keeper Security: Are Your Company's Passwords At Risk? [Sponsor] — Keeper Security focuses on centralizing passwords and access control within your company to prevent bad hygiene. Also check out the interview we did with them. Try Keeper for Free | Listen to the Interview

8 Problems With Your Meeting Video Setup, and How to Fix Them
I really loved the examples here, and will be implementing many of the fixes myself. More

War and Industrial Policy
A great analysis of current economic and security trends by Zoltan Poszar at Credit Suisse. PDF

The SOC 2 Starting Seven
Someone's list of the top 7 things you should do to get ready for a SOC2 audit. More

The IKEA Effect
Where people like things they've created/assembled more than they should, and how it's bad when managers have this problem. More

Data Structure Sketches More

Questions to ask employers during developer interviews. More

If You Want This Job We Must Interview You Forever More

Someone took a Mavic 3 drone to the peak of Everest. Video


RECOMMENDATION

If you are a reader, try to incorporate more classics into your rotation. It's nearly impossible to be disappointed by classics. You are either blown away by how good they are, or you retroactively see how they affected so much of what you see everywhere in culture. Here's the current list I'm working through.


APHORISM

"The counterfeit innovator is wildly self-confident. The real one is scared to death.”

Steven Pressfield