The Cyber Why: What We Read This Week...
... and why you should too! (08/08/23)
Hello from Las Vegas! I’m writing this from the Four Seasons Veranda as I wait for my first official meeting of hacker summer camp (AKA Blackhat and Defcon). I know I said that I was taking this week off, but I couldn’t resist writing. When the cyber world converges to the desert every summer, the number of press releases and news articles skyrockets, as does my internal monologue!
This week’s TCW has several flashback articles, including content honoring AtStake’s Window Snyder and other Internet security trailblazers. What’s old is new again, as Microsoft and Tenable have a pissing match about responsible disclosure, and Cult of the Dead Cow presents a brand new cybersecurity privacy framework harkening back to the launches of BO2K and L0phtcrack. In the last article of the week, Wiz again dominates the news, this time with a feature article in Forbes Magazine! I can’t wait to see what the future holds for such aggressive, high-growth business tactics. There is most certainly an HBR article waiting to be written on Wiz’s insane growth.
For those of you that are in Las Vegas and want to grab a drink of coffee, please send me a message. And if you didn’t manage to make it out to Satan’s Front Porch (Vegas in August) along with the rest of the hacker world, you will be missed! Enjoy this week’s TCW!
Remember To Thank Those Who Came Before Us
Meet Window Snyder, the trailblazer who helped secure the internet and billions of devices (TechCrunch)
I had the pleasure of working beside nearly every person mentioned in this article. Not only can I say that the article is genuine, but I can also say that the impact that the AtStake team, and Window specifically, has had over the last two decades of cybersecurity is astounding. We made a reality out of our dreams. Congratulations to every one of you who has spent your life trying to make the world a better place. If you want to read a bit more about hacker history, check out this other fantastic article on the impact of the AtStake team. Much AtStake: The Band of Hackers That Defined an Era. I was blessed to play even a tiny part in the growth of cybersecurity - Here’s to the real cyber rock stars that came before us.
It’s 2004 All Over Again - Microsoft In Trouble
Microsoft…The Truth Is Even Worse Than You Think (Amit Yoran - Tenable CEO)
Microsoft hits back at Tenable criticism of its infosec practices (Microsoft)
Why must we keep making the same mistakes that we’ve made in the past? I find it repugnant that we don’t learn and improve over time. It truly is the definition of insanity. However, I’m not entirely convinced that Microsoft is acting poorly, as Amit Yoran, CEO of Tenable, suggests. The crux of the issue is that the Tenable research team found a severe vulnerability in a Microsoft product in March of this year, leaving MANY customers completely vulnerable. As of the article's writing, the fix was half-baked and unsuccessful, and Microsoft said it would take even longer to put out a complete solution. While I agree with everything that Amit wrote, my open question is why? Why is Microsoft unable or unwilling to fix this quicker? In my @stake days, I used to work on responsible disclosure processes for zero-day issues, and you really have to understand the WHY of the vendor when they give you a timeline. I’m not saying Microsoft is correct in what they are doing, but I believe we (the public) don’t have the whole story. If you read the comments on the article, it feels like 20 years ago when every security pro spent hours slamming Microsoft’s security capabilities. Has nothing improved? I want to hear the other side of the story before I pass judgment. Microsoft, please respond!
Breaking News - It looks like Microsoft has shot back against Tenable, stating that they did the best they could and to break procedures would have caused more risk than executing in the manner that they chose. There are two sides to every story! The cyber-drama here is palpable.
Coming Soon - The Launch of VeilID
Hacking group plans system to encrypt social media and other apps (Wired)
In another article that harkens back to the early days of cybersecurity, Joseph Menn enlightens us with the historical impact of the hacking group, Cult of the Dead Cow and teases the launch of a brand new technology framework meant to secure all underlying social media infrastructure automatically. Joseph mixed several storylines in this piece, bringing in whatever click-worthy commentary he could muster. Sadly this took away from the meat of the news - the launch of VeilId.
The latest effort, to be detailed at the massive annual Def Con hacking conference in Las Vegas next week, seeks to provide a foundation for messaging, file sharing and even social networking apps without harvesting any data, all secured by the kind of end-to-end encryption that makes interception hard even for governments.
I had the pleasure of being present at previous unique technology launches by the Cult of the Dead Cow. From BO2K in Vegas to a raw meat-throwing incident in NYC - The CDC never fails to put on a show. If you are in Vegas next weekend, I highly recommend you go check out the launch of this new privacy and security framework.
A Flashback Into The Historical Future
The Long Boom: A History of the Future, 1980–2020 (Wired 1997)
“Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.” — Alber Einsten. I firmly believe in looking to our past to predict our future. I also understand that in many cases, past actions do not predict future results, while learning from your mistakes is the most critical result of analyzing the past. In an ode to learning from our past, this is a great article written in 1997 that describes the author’s views of the future through the year 2020. He hits many points correctly and misses many others. The best way to read the piece is to try to grasp his justification for the predictions he makes and learn from where he may have gone off track. I found the article absolutely riveting and well worth the long read.
Hackers Hack the Hackers Again
Spyware maker LetMeSpy shuts down after hacker deletes server data (Tech Crunch)
Poland's notorious spyware, LetMeSpy, is waving the white flag after a hacker didn't just break into their servers in June but deleted their precious stash of swiped data from thousands of victims' phones. And by "waving the white flag," I mean they're shutting shop by August's end. If you try accessing their services, you'll find the doors locked, lights off, and a note basically reading, "Hacker came, hacker saw, hacker deleted” To summarize, LetMeSpy, once boasting control over 236,000 devices, got played at its own spy game. #spywarefail
The Wizard of Growth - Wiz Smacks The World
Nobody Beats Wiz: Meet The Hyper-Aggressive, $10 Billion Startup Shaking Up Cloud Security (Forbes)
As if the Wiz buzz machine wasn’t hitting the pavement hard enough, they just landed a feature in the latest issue of Forbes Magazine. After hitting $100M in revenue in its first 18 months, Wiz has now surpassed the $200M mark in just an additional nine months. I wish I could say their approach is insane and will result in a massive dumpster fire of wreckage, but after posting results like that, it’s tough to believe that they can miss. Wiz is one of the largest “go big or go home” plays I’ve ever seen. They have raised close to $1B dollars and are hiring like crazy in a market that is tightening and showing signs of severe headwinds. They don’t listen to common wisdom and instead forge their own path regardless of what others seem to think.
Rappaport and his cofounders’ “suicide plan,” as they call it—to speed-run company building by hiring fast, raising vast sums of capital and targeting top-of-market corporations first—sent seismic tremors across the industry.
This has come off very negatively to some resulting in lawsuits (Orca) and a murmuring undercurrent discussing shady sales tactics and bullying on the playground. Regardless of your thoughts on the business model, you really can’t knock the outcome. I’ll leave you with this image of what Wiz is doing to the entire cybersecurity market.
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!