SECURITY NEWS
An official FBI email server was hacked and used to send a fake threat email. The email had multiple spelling mistakes and was obviously fake upon significant inspection, but the problem is that the email passed SPF and DKIM checks, meaning it was sent from an actual FBI server. The FBI later confirmed the issue and said they were looking into it. More
A new piece of open source malware written in Go called BotenaGo can exploit more than 30 different vulnerablities in routers and IoT devices. Once installed, it works by listening for targets either locally or on port 19412. More
China has built mockups of a US Navy aircraft carrier and other warships to use as missile target practice in the Taklamakan Desert. More
Security vendor Randori is in trouble because they've had a working exploit for the PAN-OS vulnerability for months that they've been using for pentests. More
Blackberry has found information on an Information Access Broker (IAB) linked to three different hacker groups. Initial Access Brokers are a pretty cool part of the attacker ecosystem: they essentially manage the initial access to companies, systems, and networks all over the world. They work by getting access themselves, and then auctioning off their access to other groups on the DarkWeb. A study in August showed that the average cost for access going back a year from July was $5,400. More
North Korean attackers are using malicous Blogspot blogs to deliver malware to high-profile South Korean targets in the think-tank space. More
China is growing a massive army of hackers, and they won't be criminals—they'll be state-sanctioned professionals. More
Incidents:
- Costco says a data skimmer has been stealing data from customers. More
- HPE says customer data was compromised in an Aruba data breach. More
Vulnerabilities:
- CISA has relased an advisory on multiple vulnerabilities in Siemens' Nucleus Realtime Operating System. More
- Samba has reseased multiple security updates. More
- SAP Patches Critical Vulnerability in ABAP Platform Kernel. More
- 14 new vulns discovered in BusyBox. More
- Zoom patches high risk issues in Meeting Connector and Keybase. More
- Palo Alto patches a CVSS 9.8 vulnerability in GlobalProtect. More
- Adobe has released updates for multiple products. More
- VMware has released an advisory on a priviledge escalation vulnerability in VCenter Server. More
Companies:
- McAfee is going private in a $14 billion private equity deal. More
- Jetpack has acquired WPScan. More
TECHNOLOGY NEWS
Seoul is going to be the first major city in the metaverse. My first question was, "cool, which one?" And the answer is—their own. That's the trick with all these metaverses: they only work well if you have a big clear winner that everyone flocks to, or if they're interoperable with each other. Which of course they won't be. So what we'll end up with—at least at first—is a bunch of really small metaverses with a limited number of users. What people think of as a metaverse is actually Ready Player One, which of course is an instance of the first version. It's one big company winning all the marketshare. More
23andMe CEO says she wants to make better drugs using the insights from her company's millions of DNA samples. More
AMC now lets you buy movie tickets with Bitcoin. More
Digital art images are not actually stored on the blockchain. If you were to store a 500KB file on the Ethereum blockchain it would cost around $20,000. What's stored instead is a URI pointing to the image. Big difference, especially since you can change what's at that URI. Someone has to have thought of storing the URI plus a hash of what was there at creation time. More
Rivian had an amazing IPO, rising 29% on Wednesday and then 22% on Thursday. It closed at $122 after opening at $78. I'm not watching the space closely, but I can't help but feel like a lot of this hype comes from people feeling like they missed the Tesla boat, and they want to make sure they don't miss this one. But there's no guarntee whatsoever that Rivian is another Tesla. More
TikTok is getting into mobile gaming by partnering with Zynga. Um, how do I invest? More
Twitter is building a crypto team. More
HUMAN NEWS
A new class of drug has reversed paralysis in mice. I normally don't post these types of stories because 1) they're mice, and 2) there are lots interesting studies that don't end up being practical. This one looks pretty spectacular. They cut the spines spines of the mice, waited 24 hours, and then gave the treatment. The mice that got the treatment could walk almost as well as before the damage four weeks later. Those who did not get the treatment did not. More
Hiring is way up in North America—for robots. Factories and other industrial customers ordered 29,000 robots, which is 37% more than the same time last year. Cool, so more and more people are leaving the job market, and meanwhile we're hiring more robots. Everything seems perfectly on schedule. More
CNN has a story of a 9-year-old girl being sold to a 55-year-old man in Afghanistan. I thought it was just a regular story, like something they heard about a verified, but they actually filmed it as the man showed up, paid the father $2,000, and took her away. I get that this type of thing is legal in Afghanistan, but I don't see how legality makes it ok to watch a 9-year-old girl be taken away to be raped by an old man. I don't usually post such heavy stuff, but this is both disturbing and very strange to me. Are we so invested in multi-culturalism that this can be considered ok to someone? Different cultures have different views? Is that serious a defense here? To anyone? She's 9-years-old. Do we not have the moral authority to call this what it is? And if you do claim that authority, why not pay the $2,000 yourself and keep this from happening? I know it can be hard to be a war correspondent and not interfere, but this is way beyond that in my opinion. I don't know how one is supposed to hold a camera and be objective about this. More
Los Angeles and San Diego are looking to stop strict grading on things like turning in assignments and taking tests, and they're moving more to "citizenship" scoring, which factors in things like physical fitness and extra-cirricular activity. This is completely ridiculous, and the only thing it's doing is guaranteeing that ambitious parents and students will either 1) have tutors, 2) go to supplemental schooling outside of school, or 3) will leave the public schools altogether. This type of education is basically creating a giant American underclass that will end up serving food to the first and second-generation immigrant students who still value actual education. That's the irony: I'm sure you could ask any administrator in these schools about income inequality and they could tell you all about it, but what they can't see is how they're actively creating it. More
America now has 520 million open credit card accounts, which is the most ever. Household debt is at $15 trillion. More
There's a political gap in the number of people who've died from COVID, and it the gap is spreading. "In October, 25 out of every 100,000 residents of heavily Trump counties died from Covid, more than three times higher than the rate in heavily Biden counties (7.8 per 100,000)." More
CONTENT, IDEAS & ANALYSIS
Degrees and Credentials in InfoSec — My thoughts on the neverending debate around whether you need credentials to get into InfoSec. More
Quantum Computing vs. Blockchain/Crypto — People are starting to talk more about the risk of quantum computing to blockchain and cryptocurrency. It's been a known risk for a very long time, but now that crypto is becoming this massive force in our economy, people are taking more notice. The summary is basically this: 1) quantum computers keep getting better, 2) we're not sure if/when they'll get good enough to attack current public-key cryptography, but it could be 2-10 years, which is very fast, 3) if that happens, whatever economy is based on cryptography could suffer a hard crash, and 4) there are ways for blockchain and other cryptography implementations to become more resistant to quantum computing, and the US government has been working on this for a long time, but making those changes will also take time and could have other performance implications. In short, it's something to watch.
COVID Winter — I'm not an expert in this stuff, but take this for what you will. I expect to see another COVID surge in December and January based on a few factors. 1) Resistance from vaccines is tapering off quickly, with people with 2 shots of Moderna having around a 58% effectiveness of the vaccine after 6 months. For most people, that's October. 2) People are seriously tired of being restricted, and they're likely to behave very pre-pandemic-like during these holidays. And 3) I worry that relatively few people are going to get boosters until the surge is already going strong, say around January to February. This thing is not over, and the points above don't even account for additional variants. My layperson advice: Get a booster and only hang out with large groups outdoors.
NOTES
My friend Angela, who also happens to be UL's Manager of Sponsorships and Marketing, has a remarkable daughter named Hope. She recently decided she wanted to make a play, so she rewrote an adaptation of Midsummer Night's Dream. That would be impressive by itself, but she decided to produce and direct the play as well. That means finding sponsors, managing expenses, finding actors, holding practices, and generally managing all the logistics that go with such a thing. Oh, she also acted in it. I wasn't able to attend, but I hear the play was well-received. She's 15. Congrats to Hope, and to her parents for raising such a remarkable human.
I've started having Athletic Greens every weekday morning along with my coffee. I'm not affiliated with them, but if you sign up using my referral code you'll get 5 free travel packs and I'll get $15 off my next purchase. I basically treat it as vitamins, and since I don't eat breakfast or lunch most days it ends up being my only "food" until dinner. Sign Up With My Code
I found my favorite DJ perhaps ever. He's on TikTok, and his name is gta_changretta. He's disabled and restricted to the bed, and controls his set using one hand on his machine. He plays the exact type of EDM that I like, plus he speaks Spanish and plays a lot of Reggaeton, which I also like. If you're into any of this, and have a way to enjoy TikTok safely, you should check him out. I like listening to him live and going driving. Serious hype. More
I signed up for Twitter Blue. Not sure there'll be any benefit, looking at the current features. But I like the idea of subscriptions and I want them to be successful and keep rolling out new functionality. Currently, the main draws are the undo feature and ad-free article viewing.
DISCOVERY
If your company is interested in sponsoring an episode of Unsupervised Learning, reach out to us here! UL Sponsorship
|
|
|
[ Sponsored Discovery ]
Security Incident Containment with Teleport
What would you do when a security incident is detected? Shut down the servers? Pull out the power cord? When an incident is detected, both the incident method and the time required to contain an incident are essential to limit the damage.
Teleport allows you to control the traffic going in and out of a system, giving you the ability to quickly contain lateral movements and prevent further infection propagation due to compromised access. When your infrastructure access is managed by a uniform layer—with only one way in and one way out—it becomes super easy to contain a threat.
|
|
|
10 Steps Towards Happiness More
Burning Man: The Musical — In this musical comedy we follow Molly, a promising young tech grad, as she returns to the playa of Black Rock City - this time employed by the very tech company that, unbeknownst to her, seeks to destroy it. After being given the task of acquiring drugs for her boss's exclusive party, Molly finds herself on a journey inward - and through the community of Burning Man - finds her truest self. More
An interesting argument that writer's block is a problem with sincerity. More
A bakeoff betwen the iPhone 13 Pro and the Pixel 6 Pro cameras using 2,000 photos. More
Binary Reversing Methodologies More
Simple SSH Security — A collection of steps to lock down your SSH instances. More
Gron — Make JSON greppable. More | by TomNomNom
Fast Google Dork Scan More, by IvanGlinkin
APIs for OSINT — A collection of APIs for use in automating your OSINT workflows. More | by cipher387
Quiet Riot — An enumeration tool for validation of AWS account IDs, root emails, users, roles, and more. More | by RighteousGambit
RECOMMENDATIONS
Sam Harris had a spectacular podcast this week about sleep. It's a 4-hour conversation that's completely approachable at 1.5x, and it's so dense with knowledge and insights I don't think you'll mind the duration. It's funny: my entire peer group is getting more and more obsessed with sleep now, and between this podcast and podcasts like Huberman Lab, I am getting a single message: Sleep is crucial to success, happiness, and long-term health. So now I'm about to go crazy with my optimization of sleep—from diet, to caffeine, to smart home temperature setting for bedtime and wake time, etc. And when I finally publish my new personal routines in Github I'm going to have a full section on sleep annotated with where I learned which piece of the methodology. Anyway. Sleep. This is a great podcast to get you enthused. Also, a ton of us in the UL Community are big into our Oura rings, and a few of us have our new ones on the way. If you get into sleep I highly recommend you get one. Sam's Sleep Podcast | The Oura Ring
APHORISMS
"The sole cause of man`s unhappiness is that he does not know how to stay quietly in his room."
~ Plutarch
|
|
|
|
