I’m excited to announce that we’ve launched a twitter account. If you’re on twitter, please follow us: @ReThinkSec . I’d like to use twitter to send out interesting articles and insights that may not make it into the newsletter or for topics that are more timely and can’t wait a month to get out. It’s also a good way for you to send interesting topics to me, if there’s something you think would be good for an upcoming article or a piece of news that should be in an upcoming newsletter just @mention us or DM it to us and we’ll help get the word out.

Recent ReThink Articles

Every Application Fails in Unique but Predictable Ways: A Study in Zoom - Zoom is a case study in how software can fail. They added millions of users to their platform seemingly overnight. They learned years of security lessons in a month. In this article I explore what Zoom has done to improve, where they’ve hit the mark and where they’ve missed.

A Traveler’s Method of Learning Technology - In this post I explore one of my methodologies for learning. Like exploring a new city through the neighborhoods and highways you can use a similar method to map out new knowledge. Understanding parallels in areas you’re learning and when to go deep and when to go broad is a skill that will pay dividends for your entire career.

COVID Thoughts

If you’re suffering from COVID overload you can skip this section (consider the “Distractions from COVID section instead).

If not, read on.

xkcd: Everyone’s an Epidemiologist

If you’re like me you might find all of your weeks melting together. This “new normal” that everybody is talking about is feeling more and more like normal to me. I love the idea of contact tracing as a way to help identify people who should get tested for COVID, and I love the idea of companies and governments coming together to help save lives, but it’s important to weigh these changes with the privacy and data collection costs that may come with them.

One interesting example of this is Cellebrite rebranding some of their phone cracking software to help track coronavirus. When compared to the phone hacking services they were providing earlier this is a positive pivot, but it shines a light on their capabilities. This information should not be forgotten after the virus has subsided.

Another example of this is large scale marketing firms providing their own version of contact tracing. As wonderful as it is that a company can be altruistic to help understand the spread of COVID, it’s just as important to remember that these technologies existed before the virus. These companies are using contact tracing to understand social networks for improved marketing and targeted advertising.

Many people have written about Apple and Google’s collaboration to help track COVID contact. It has been heralded as an obvious solution to the problem, or as an ineffective app that will lose the people’s trust , or even as a comparison to Nazi Germany (Godwin’s law) . It’s important to remember that these apps are neither perfect nor a panacea, they are all parts of a much larger puzzle.

On the other end of the spectrum, some companies are starting to censor inaccurate COVID news. Others like YouTube have introduced a fact checker into their site. I think most of us can get behind the idea of stamping out false information, but where does that end and censorship begin? The Atlantic and Matt Taibbi explore these implications:

We must assess each of these changes post-COVID. Some may be worth keeping, some may need to be revised or removed as soon as feasible.

Bill Gates does an exceptional job of explaining how vaccines work and why they’re safe and effective. The race for a COVID-19 vaccine, explained - YouTube

More Security Headlines

ICQ is back? I wrote on twitter in early April that ICQ is back. For those of you who are old enough to remember one of the original IM platforms don’t get nostalgic. ICQ was sold to a Russian conglomerate, it actively chooses to not use encryption and to collect all traffic.

Moving from reCAPTCHA to hCaptcha - Cloudflare is moving to hCaptcha, a private alternative to Google’s reCAPTCHA, which I raised concerns about in an article in July of last year.

This is what end-to-end encryption should look like! - Jitsi - I’ve been enjoying using Jitsi as a Zoom alternative. It’s browser based and has it’s limitations, but I really like this article about how they’re implementing end to end multi-user encryption. Privacy based Video-chat is not a straightforward challenge.

What’s a 10? Pwning vCenter with CVE-2020-3952 | Guardicore Labs - This is a very technical look at CVE-2020-3952 which could allow an attacker complete takeover of a vCenter server. It’s a CVSS 10.0 out of 10.0, as bad as it gets. If you use vCenter upgrade immediately. If you’re a technical security nerd give this a read.

GE - Maintaining Security In An Agile Environment - YouTube - GE explores the major changes they’ve had to make in their development and security process to keep up with Agile and partner with global security teams. I love how they tackled the problem, were honest with themselves, and came up with a novel solution that works for all parties.

Would You Have Fallen for This Phone Scam? — Krebs on Security - Phishing attacks are getting very sophisticated. Banks aren’t keeping up with the threats. We need a new mechanism for bi-directional authentication.

AttackerKB | Topics - AttackerKB lets security pros rate different CVEs. This could give you real-world insight into how severe these issues are beyond their CVSS score.

Distractions from COVID

SomeGoodNews - YouTube - John Krasinski highlights some good news around the world. Just good, heartwarming news from heroes and celebrities around the world to help brighten your day.

Is life a gamble? Scientist models universe to find out | Live Science - Where did all life come from? The search for abiogenesis is a long and difficult one, but these scientists may have discovered something worth looking into.

The Devastating Decline of a Brilliant Young Coder | WIRED - We have all felt the pressures of burnout, maybe our personalities and interests have changed over the years, but this article was such an exceptional story it is absolutely worth reading.

Apple Aims to Sell Macs With Its Own Chips Starting in 2021 - Bloomberg - This has been coming for years since Apple started fabricating their own chips. What they are able to do for the iPhone and iPad by keeping blazing speed while keeping battery life up is nothing short of amazing. I am excited to see the first Macs with Apple chips come out.

Please subscribe to our newsletter. Each month we send out a newsletter with news summaries and links to our last few posts. Don’t miss it!