- Vulnerable U
- Posts
- 🎓 VulnU #015: Bigger pools have more ways to sink
🎓 VulnU #015: Bigger pools have more ways to sink
Short Thought, Big Impact: Exploring Cyber Emissions and Their Connection to Risk
Read Time: 5 minutes
Howdy friends.
One major lesson I’ve learned in committing to this new content creation adventure of mine has been how much harder it is to go from 0 → 1 than it is to go 1 → 100.
Lets dig into that a bit, shall we? Then I’ll leave you with something else to chew on.
Today’s takeaways:
Putting myself out there
New ways to ingest Vulnerable U content
Cyber risk as emissions & food for thought
Lets Get Vulnerable
For years I used to record a podcast, before they were cool, called Liquidmatrix Security Digest. We recorded over 100 episodes and it was just part of my weekly routine to hop on a Skype call with some friends and talk about the security news of the week. It never felt hard, but I didn’t have to start Liquidmatrix, the avenue was already there.
Vulnerable U being born out of the ether has been a challenge.
In a very self referential way, it has made me feel very exposed as I put myself out there every week with my own thing. I’m not new to content creation, I am new to swimming in the deep end alone in a pool of my own making.
This week I made the pool bigger.
🎉 Big news is that you can now digest this content visually or as audio. I’ve anxiously launched the Vulnerable U Youtube channel and podcast.
From 0 to now 1.
Daunting, but hoping to pick up a bit of momentum here and make it part of the weekly routine for all of you. Also hoping it grows the audience to those who’d rather not sign up for an email.
For those who would rather the podcast instead of Youtube, the audio will be listed on all major podcasting platforms. Some have longer approvals than others, but most major platforms are ready to go. Here are a few:
Since I had all that to say today and I like keeping the newsletter succinct, I’m going to just share a short thought that I’ve been stewing on this week that will most likely turn into some longer form content.
Cyber Emissions
Cyber risk is an emission of doing business online.
Infosec is a series of emissions control systems to keep the whole thing from burning down.
— Matt Johansen (@mattjay)
4:59 PM • Jun 7, 2023
I’ve quoted him in another recent newsletter so as you can tell I’m turning into a big fan of Scott Galloway. He’s been putting out this idea that got me thinking about “emissions” being more than just carbon dioxide or other greenhouse gases.
Here is Galloway’s intro to this thought:
The universe is a product of the collision of materials and gases that added value to one another. Humanity’s ascent to the world’s apex predator is also a function of our ability to add value, converting one substance into another. We learned to morph wood into fire, and walnut oil into ink and then into information. We turn sand into windows, computer chips, and water filters. Conversion often produces byproducts, sometimes a bonus: Converting fat into soap produces glycerin, useful in everything from moisturizers to explosives.
More often, those byproducts are a problem. Roasting coffee beans emits compounds linked to lung disease. The vapors that escape aging whiskey feed a black fungus that’s eating whole towns in Kentucky. One hugely inefficient conversion is plants into meat. It takes 25 pounds of feed to produce a pound of beef; 40 times more energy goes into beef than comes out of it as food. Livestock account for 14% of all carbon emissions — equal to all modes of transportation combined.
Carbon emissions are believed to be the mother of all negative byproducts. The conversion of fossil fuels (themselves the product of a conversion) into energy has been the boon and burden of the past century. But there’s something worse:
Converting attention into profit.
It’s made a very few very wealthy and left the rest of us choking on the fumes: rage and polarization. The discharge of the attention economy weakens our immune system, rendering us vulnerable to other emissions, as polarization paralyzes our ability to respond to other externalities: inequality, autocracy, gun deaths, depression, addiction, obesity, and the OG itself, carbon.
This gave my brain the good chemicals. Started the wheels spinning. (Read the rest of his post: here)
❓️ What if we looked at capital R Risk in the same way? What would that make different cyber security solutions?
❓️ Is anti-virus the paper straw of our world? Apparently everywhere now and not solving the real issue.
❓️ Is DLP the catalytic converter? A desperate attempt to reduce emissions as they’re already leaving the engine and into the cloud?
❓️ Is cyber insurance the carbon offset? Spending money to make yourself feel better about not actually doing anything about the risk you’re imposing.
❓️ Is EDR eco diesel or clean coal? A rebrand of an old tech in an effort to make it sound more modern?
❓️ What would carbon capture be? Dark web scraping and storage?
This is a fun exercise but I also think the thought might be a useful thread to pull; so I’m going to explore this more later.
Until then, if your brain is going the way mine is, send me your thoughts. I’d love to include them on the next iteration of this topic.
Elective Reading
It’s infosec Christmas! Verizon DBIR day! If you’re new to it, it’s the most comprehensive report of available breach data that shares trends of what the attackers are actually doing. Grab it here - Link
I’ve been collecting my thoughts and will most likely blog them soon but Kelly got advanced copy and her blog is spot on as usual. (Seriously she’s one of the best content creators in the industry)
maldr0id gave a talk at RightsCon on spyware disinformation campaigns. It seems like the conference had a lot of great attendees and talks. Łukasz did a write up of their talk here: Link to Medium
Glad to see Apple continuing to invest in Lockdown Mode. This is a feature you need to check out, especially if you’re a public figure or journalist.
The ever brilliant John Hammond did some research around the crazy MOVEit vuln that has been causing lots of havoc this week. Originally, it seemed it was a SQLi vuln, but John realized it was RCE as well based on some reversing. Read their whole report here: Link
There is also a great GitHub repo tracking a bunch of things related to MOVEit here: Link
🧵 HUGE Update around the active exploitation of MOVEit 0day!
From @HuntressLabs - CVE-2023-34362 is not just SQLi - they reversed it and found full RCE as well...
— Matt Johansen (@mattjay)
8:29 PM • Jun 6, 2023
I’ve had the honor of working for Phil Venables in a past life and tend to read every word he puts out. Here is another good one. I liked it so much I wrote some thoughts about it on my blog: here
Extra Credit
Help Us Grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them! As of now, spread will just be by word of mouth.
Parting Thoughts:
Let me know how I can help as always.. If there's a topic you'd like to see covered in a future edition of the newsletter, or if you have any questions or concerns, please don't hesitate to reach out to us. I’m always happy to hear from our readers and help in any way I can.
Stay safe, Matt Johansen
@mattjay