I saw this in Tanya Janca’s newsletter and it made me laugh. H/T @Raybeorn for originally sharing.

2021 Sponsorships Available!

Shameless plug: I have a number of open slots for sponsors!

If you want to get your job ad or product in front of thousands of security professionals, ranging from ICs to team and org leads, CISOs, VCs, and more at companies ranging from small start-ups to FAANG-sized, you can respond directly to this email 👋

Each issue is sponsored exclusively by one company, and I do ~49 per year, so supplies are limited.

Call in the next 30 minutes and I’ll throw in a set of steak knives* and maybe write you a haiku**.

* Subject to tl;dr sec merch store availability
** Infinite supply

Shifting Threat Modeling Left: Automated Threat Modeling Using Terraform
In this HashiConf Digital 2020 talk, Accurics co-founder Om Moolchandani describes how one can (in theory) extract information like resource (mis)configurations, resource relationships, network relationships, identity access and privilege relationships, trust boundaries, exposure, and more from Terraform code. He then demo’d using their open source tool terrascan.

I think building a model of an environment via analyzing infrastructure as code files (Terraform, CloudFormation, etc.) is a very promising and currently underutilized idea. While this talk references the idea of doing that, based on my read, it does not appear terrascan is currently leaning into this, but is rather scanning for a set of known misconfigurations (like most other existing tools).

Red Team

macOS Post-Exploitation Shenanigans with VSCode Extensions
MDSec’s Dominic Chell describes the process of creating a malicious VSCode extension on macOS that can be useful post-exploitation. In short: create a repo template with Yeoman, run JXA through osascript, then use Mythic or another C2 for persistence if you want.

Misc

Maximizing Appreciation of Life
One thing I admire about my bud Daniel Miessler is how reflective he is. He’s played an influential role in helping me mentally flesh out what I want tl;dr sec to be, and how I want to navigate my career and life (“If everything were to go perfectly, where would you want to be in 10 years?”). Here’s Daniel’s life purpose 👇 I’m still working on mine. Do you know what yours is?

I enjoy finding patterns in how people pursue meaning, constructing models for how said meaning works, and then creating, discussing, and sharing possible frameworks for improving it.
 

Responding to Community Outrage: Strategies for Effective Risk Communication
Recommended by Devdatta Akhawe: “One of my favorite books about risk communication for security leaders is actually written in the context of public health/safety.”
 

Pirate Bay Founder Thinks Parler’s Inability to Stay Online Is ‘Embarrassing’

Over the years, Kolmisoppi and The Pirate Bay crew explored no limit of strategies to keep its servers operational and out of the reach of law enforcement and the entertainment industry, even when that meant hiding them in caves and submarines, or even using low-orbit drones to redirect users to hidden regional servers hosting torrent indexes and trackers.

 

Quote

“If you always hire people who are smaller than you are, we shall become a company of dwarfs.

If, on the other hand, you always hire people who are bigger than you are, we shall become a company of giants.” — David Ogilvy

Cash Rules Everything Around Me

An Oscar Winner Made a Khashoggi Documentary. Streaming Services Didn’t Want It.
It is fundamentally hard (and unlikely) for global companies to step on any nation state toes that could lead to massive revenue loss.

That’s why, for example, Apple removed the Taiwan flag emoji for Chinese iPhones and all mainland China iCloud users have their data stored by a firm started by the Chinese government (#lolprivacy).

Bryan Fogel’s first documentary, “Icarus,” helped uncover the Russian doping scandal that led to the country’s expulsion from the 2018 Winter Olympics. It also won an Oscar for him and for Netflix, which released the film.

For his second project, he chose another subject with global interest: the killing of Jamal Khashoggi, the Saudi Arabian dissident and Washington Post columnist, and the role that the Saudi crown prince, Mohammed bin Salman, played in it.

But when Fogel reached out to Netflix and many other streaming services, he didn’t hear back.

In January 2019, Netflix pulled an episode of the comedian Hasan Minhaj’s series, “Patriot Act,” when he criticized Prince Mohammed after Mr. Khashoggi’s death. Mr. Hastings later defended the move, saying: “We’re not trying to do ‘truth to power.’ We’re trying to entertain.”

“This is unquestionably political,” said Stephen Galloway, dean of Chapman University’s film school. “It’s disappointing, but these are gigantic companies in a death race for survival. You think Disney would do anything different with Disney+? Would Apple or any of the megacorporations? They have economic imperatives that are hard to ignore, and they have to balance them with issues of free speech.”

Also:

In November, Netflix signed an eight-picture film deal with the Saudi Arabian studio Telfaz11 to produce movies that it said “will aim for broad appeal across both Arab and global audiences.”

The point here is not to wag a finger at one particular company, but rather to point out that with strong economic incentives, you don’t need to be able to “force” someone (person, company, nation) to do something, they’ll do what’s in their best interests.

This has strong implications for:

• The movies and TV shows we see (and don’t see).
  • China is a massive market, don’t expect big media players to produce critical pieces.
• Social media communication paradigms and algorithms.
  • More engagement ➡️ more money (and more polarization / rapid spread of fake news).
• And much more.

I don’t have any answers here. This is hard 🤷

And on that positive note, have a great weekend!