Another T-Mobile Breach
T-Mobile has had another security breach, this one affecting at least 37 million accounts. They haven't described the issue yet, but they said it was an API problem which points me toward IDOR. An IDOR vulnerability is where if your account was #1298, you could manually change your request to 1299 and pull a different user's data. In other news, API Security companies are doing really well right now. MORE
You can now use credit cards as Canary Tokens. You can go (for free) to canarytokens.org and you'll get a valid credit card, with a number, expiration, and CVC. And if anyone tries to use that credit card number you'll be notified! MORE
There's a new piece of Android malware called 'Hook' that allows attackers to fully control your phone. It's created by the publisher of Ermac, an Android banking trojan selling for $5,000 a month, but Hook has the additional feature of being able to control the affected device over VNC. MORE
Office -> OneNote
Attackers are now spreading malware through Microsoft OneNote attachments. The switch comes after Microsoft disabled macros by default in the more standard Office formats. MORE
Cobalt -> Silver
Many attackers are migrating from Cobalt Strike to the more defender-focused Silver C2 framework. The primary reason seems to be that Cobalt Strike is simply too loud at this point due to how many tools have detections for it. MORE
Git patched two critical RCEs. Upgrade to latest. MORE
🔥🤖 An Actual Smart Assistant
Someone built a smart home assistant using ChatGPT. It is a far better assistant than Siri or Alexa for home related tasks, but it's also just a general assistant. So basically, ChatGPT, but linked to the smart home. Absolutely brilliant. I'm hoping this type of integration becomes widely available soon. MORE | VIDEO
Layoffs Continue in Tech
The layoffs have continued in tech through January, and in fact the number of people laid off this month is the highest in 12 months. I feel like the volume of layoffs has provided cover to those who wanted to do some but didn't want the bad PR. And now there are so many they feel safe because "everyone's doing it. STATS
Apple announced the new Macbook Pros with M2 Pro and M2 Max chips. The Max can be fitted with a maximum of 96GB of memory. MORE | REVIEW
Study Reveals Conception Ages for the Last 250,000 Years
A new study has revealed the average age that men and women have been conceived for the last 250,000 years. "The average age that humans had children throughout the past 250,000 years is 26.9. Furthermore, fathers were consistently older, at 30.7 years on average, than mothers, at 23.2 years on average, but the age gap has shrunk in the past 5,000 years, with the study's most recent estimates of maternal age averaging 26.4 years." MORE
Breathing vs. Meditation for Mood
A new study (with Huberman as a co-author!) has shown that breathing-based activities improve mood and physiological arousal more than mindfulness meditation. The best performer was exhale-focused cyclic sighing, which is a series of prolonged exhalations. MORE
The Lights Don't Lie
A researcher at the University of Chicago published a paper that shows how GDP correlates to nighttime lighting as visible from satellites. He then compared that lighting to countries' claims of GDP growth, and found that autocracies are probably lying about how well they're doing. MORE
New Podcast Slowdown
A report shows the number of newly created podcasts between 2020 and 2022 dropped by 80%. MORE
10 people were killed by a 72-year-old gunman during Lunar New Year's Eve in Monterey Park, CA. The city is the home of the first majority-Asian town in the US, and the attacker was identified as Huu Can Tran. No motive has been established. MORE
IDEAS & ANALYSIS
✍️ OpenAI's Purpose is to Build AGI, and What That Means MORE
✍️Your Experience is Your Creativity MORE
✍️ How to Contact and Interact with a Mentor MORE
I’m starting to see climate change like automobile safety. Telling people to drive better didn’t do nearly as much as making safer cars. I think it will be the same with climate change. Carbon extraction will turn out to be far more effective than policy. And of course we still need both. TWEET
I've been off-routine for a number of weeks now, and it sucks. Primary cause is sleep cycle, but I've almost got it back on schedule. I'm at the point of just using brute force to adhere to the 2300 to 0700 sleep schedule. Just wanted to let people know that just because I made a routine doesn't mean I don't struggle sometimes to stay on it.
In better health news, my table tennis is probably the best it's ever been. I'm beating people at my local club that I couldn't even score points on previously. And this is because I have been eating better and working out fairly consistently, which allows me to stay low, fast, and dynamic during points. So fun. It's the best participation sport ever in my opinion. It's a martial art with speed and spin.
I overturned my WAF last week and started blocking people, including myself, out of my site. Easy to fix, but it surprised that benign users hit xmlrpc.php that many times during a normal session.
I'm going to be talking in our community this week about a technique I'm using to generate security reports using GPT. Really excited about it as a way to organize assessments and reduce writing time. I'm estimating that it'll raise quality and consistency for reports by like 20%, and reduce writing time by like 50%. I'll share the details in Slack so others can copy the technique.
⚒️ pdtm — The Project Discovery Tools Manager. Manage all your PD tools in one place! Just run pdtm –install-all. TOOL | BY PROJECT DISCOVERY
⚒️ octosuite — An OSINT tool that targets GitHub organizations, repositories, and users. It branches from the code, to the people who contribute, finds links between them, and gathers all the content together for further exploration. TOOL | BY BELLINGCAT
⚒️ caido — There's a new ZAP and Burp competitor called Caido. It's a Rust-based tool for auditing web applications and it emphasizes speed, stability, and (honestly) youth, over existing players. I'm going to be playing with it in the next few weeks and will report back with initial impressions. TOOL | MEET THE TEAM
⚒️ curlconverter — Convert curl commands to various languages. TOOL
📊 geckoboard — I've been looking for a charting solution for ages. This one promises a real-time dashboard in minutes using over 80 integrations. TOOL
📊 summate.it — Paste in an article URL, and it'll use GPT to turn it into a bulleted summary. TOOL
📢 There's a new podcast, fantastically named Critical Thinking, about bug bounties. It's by Rhynorater and Teknogeek, and the music was made by YTCracker. I've listened to one episode so far and if you're into the bounty scene it's a must. MORE
🔭 [ Sponsor ] Privacy Dynamics — Are you having trouble generating anonymized and realistic data for testing? Privacy Dynamics can generate a sanitized dataset that functions just like production data without causing privacy and security data problems. BOOK A DEMO
My buddy Jason Haddix did an awesome thread correlating high-profile breaches and the controls that could have helped them. THREAD
A long-time UL member, Joshua Peskay, wrote a fantastic piece about a character.ai character called "I pass butter". He talks about how the bot is a seriously compelling conversationalist, and how AI bots might turn out to be better chat companions than humans for many people. Absolutely worth the read, although I did dock points for it not being hosted on his own blog! MORE
A desktop setup centered around an iPad as the computer. MORE
RECOMMENDATION OF THE WEEK
Routines and Sunk Cost Fallacy
There's something like Sunk Cost Fallacy happening when you beat yourself up about falling out of your routine. It's like not planting a tree thirty years ago. Doesn't matter. Today is a new day, and a new opportunity to do what you know is best for you.
APHORISM OF THE WEEK
“Imagination means nothing without doing."
Charles Spencer Chaplin