Unsupervised Learning Newsletter No. 299

News & Analysis

STANDARD EDITION | Ep. 299 | Monday: September 20, 2021

SECURITY NEWS

Apple did an emergency patch last week for a zero-day NSO exploit that installs its Pegasus tool. The attack affected every iPhone, iPad, Mac, and Apple Watch. The attack came in via Messages, and once installed, the software gains full control over the device. Citizen Lab alerted everyone to the issue, and the story is applying even more scrutiny to the NSO Group, which is an Israeli company that sells this software to governments all over the world. More

Researchers have compiled a list of vulnerabilities used by ransomware gangs. They include Pulse Secure VPN, Citrix, Exchange, Fortinet, SonicWall, F5, Palo Alto, QNAP, Sophos, SharePoint, Windows, Office, vCenter, Accellion, FileZen, Atlassian, Zoho, and Azure. More

Indonesia says at least ten government ministries and agencies, including systems from their intelligence service, have been compromised by a Chinese threat actor Mustang Panda. More

You'll soon be able to sign in to your Microsoft accounts without a password. Instead, you'll use Microsoft Authenticator, Windows Hello, a security key, or a login token sent via SMS or email. More

China disappeared one of its biggest celebrities from the internet. Her name is Zhao Wei, and she's basically the Reese Witherspoon of China. Everyone knows her, and she just got Thanos snapped out of existence. She can't be found on search engines, video sites, or anywhere. She was basically erased from Chinese history. This happened as China is in the middle of a crackdown on celebrity itself, which they say is unhealthy. It's not clear what she did to anger the government, but it could be that she was simply too big and they wanted to make an example. I imagine a lot of celebrities in China are about to suddenly be very patriotic, and I imagine that's exactly the point. This is the size of the weapon China is using in their Culture War 2.0. Erasure of Self. No matter how big you are. If you're not sufficiently pro-Party. More

Vulnerabilities: Adobe, SAP, Microsoft, Chrome, TravisCI, Netgear Smart Switches,

Companies:

  • Neosec raises $21 million to do API security. More

  • Identity startup Persona valued at $1.5 billion. More


TECHNOLOGY NEWS

The Apple September Event:

  • As someone who used to work in security at Apple, I'm extremely pleased that many of the rumors were wrong, which hasn't happened in years.

  • I saw the announcements as solid evolutions—much like an "S" release of the past. This piece says the 13 is a pitch-perfect 12.

  • The two things I'm excited about with the phone (I'm getting the blue Pro) are the camera and the screen.

  • I'll also be getting the new watch when it drops, but I'm disappointed we didn't see more watch faces. More than anything I'd like to see more creativity and flexibility there.

  • Watch-wise, what I'm truly looking forward to is a round face. Who knows if that'll ever happen.

Like 80% of web backends are written in PHP. Still. In 2021. The next closest competitor? ASP.NET, at 8%. Stunning. More

Intuit is buying Mailchimp for $12 billion dollars. More


HUMAN NEWS

A company called Amdocs did a study that found that around 30% of GenZ and Millenials have thought about switching jobs, but only around 15% of GenX and Boomers. So, around half. More

We finally figured out what made the Stradivari violins the best in the world after all this time. They were made from 1660 to 1750 and we've been unable to match their quality ever since. Turns out, it was the varnish. More

Women are nearly half of new gun buyers. More

Not sure how much this is anecdote vs. data, but Dr. Andrew Huberman says a colleague of his told him around 25% of students age 16-32 take unprescribed Adderall, and 5-10% also take Modafinil or Armodafinil. More

Some rich people are counting their antibodies. More

Antibody treatment is getting really popular, especially among those who don't want to get vaccinated. The irony is that the treatments are quite new, and are basically cloned antibodies from Regeneron and Eli Lilly, which are companies not unlike Pfizer and Moderna. They're happy to sit in a chair and be injected with cloned antibodies from a couple of pharma companies, but think it's crazy to get a vaccine that teaches your body to make the antibodies yourself. Ultimately it comes down to conservative talk radio and podcast hosts promoting the latter and not the former. In other words, this country is doomed. More
 
California has the lowest COVID case rate in the country. Meanwhile, Alabama reported more deaths than births for the first time in its history. More More


CONTENT, IDEAS & ANALYSIS

It's Time for Vendor Security 2.0 — My essay on our broken approach to vendor security, and what I think we should do to fix it. More

The Is-Ought Problem and the Ship of Theseus — How human perspective might be the missing piece to solving a number of timeless philosophy problems. More

My Thoughts on the OWASP Top 10 2021 — My analysis of the new OWASP Top 10 for 2021. More

Why People Aren't Going Back to Work — This is a brilliant, video-based argument for why many people might not be returning to work. Essentially, because of millions being laid off from the COVID recession, people are figuring out most jobs are not dependable, and that illusion was the only reason they were willing to take so little pay in the first place. I think this is definitely a factor, but I think the percentage of people who are going to start a business and pursue their dreams is much lower than this person thinks. Many more will just decide to stay out of the job market as long as possible, i.e., by moving back home, living off a partner, etc. Combine those with the stimulus money, and I think you have most of the explanation. More

Unemployed Spies — There have been several stories now about former spies being hired as consultants in repressive regimes to track down dissidents. It's starting to remind me of the Iraqi Republican Guard situation during the wars. We walked in and just disbanded the entire group, and what do you know—they became a major problem for us. The point is that I'm sure they'd rather have been doing something else, but working against their own government became lucrative and their kids had to eat. This is less extreme of course, but we seriously need to think about how to maintain moral employment for people with highly valuable and highly morally sensitive careers. Spies. Assassins. Etc. You can't just train these folks up and wave goodbye at the end of their terms. Well, you can, but they might go work for a frenemy. And that's exactly what we're seeing. There should be some sort of permanent home for these types, in a friendly capacity, so that they don't feel pressured to take their skills elsewhere. And that should be required to even fund and run the program in the first place. More


NOTES

I am seriously loving Sean Carroll's The Big Picture. The concept of Poetic Naturalism really resonates with me. As does the idea of Effective Theories, which is basically a model of the way things work that will never change, even if we get better explanations for physics later on. More

I'm now knee-deep in the UL Book for the month, which is Mastermind. Book Club next Sunday! More

I'm looking for a new fantasy series. Suggestions welcome.


DISCOVERY  

[ Sponsored Discovery ] Semgrep — As someone who's been in Application Security for over a decade, I personally believe that Semgrep is the future of static analysis. That's how excited I am about this tool. It's been on my radar for a while now, I've talked about it before here on the show, and my friend Clint Gibler of TLDRSec also works there! Essentially, it's a framework for searching for things you care about within code, within configurations, etc., and it's wicked fast. So pretty much anything you want to check for, you can write a YAML rule for and integrat it into your workflow. It supports over 17 languages and is powered by over 1,000 community rules. If I had to rate my top security tools of the past few years, and make predictions for impact into the future, my top two would be Nuclei and Semgrep. If you do anything around static analysis—seriously—take a look. More Get Started

Don't be the Insecure Interviewer More

A Housing Theory of Everything — The idea that unaffordable housing is a meta-problem that causes most others. More

Men are giving up on college. More

Every engineer should do a stint in consulting. More

A Threat Intelligence Kanban Board More

Write Something More


RECOMMENDATIONS

James Clear's newsletter is one of the few I look forward to every week. It's just a few quotes, and it's extremely concise, positive, and thought-provoking. Sign Up


APHORISMS

“Of all forms of caution, caution in love is perhaps the most fatal to true happiness.”

~ Bertrand Russell