This is episode No. 102 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 30 minute summary. The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well…
This week’s topics: Uber’s mess, Google tracking users, AI finding missiles, drone disclosure, net neutrality, tech news, human news, ideas, discovery, recommendations, aphorism, and more…
Listen and subscribe via…
Read below for this episode’s show notes & newsletter, and get previous editions…
Uber revealed that, over a year ago, researchers found sensitive credentials in a public GitHub repo, and used those credentials to gain access to systems and extract customer data on 57 million people. There is a lot of confusion around this story right now. If you have complete clarity in your mind one way or the other, you should discard it and wait for more information. The key point of contention is around the fact that Uber paid these researchers / hackers 100K to not go public with their findings. The media took this to mean a payoff, like hush money, like you would see in extortion. But further details made it look like this could have been much more like a bounty, where essentially the same exact things happen: researchers find things and they are paid not to tell anyone else. The line between these two things is not nearly as bright as most people think or want it to be. My advice is to hold your strong opinions for more information.
The relationship between researchers and companies continues to be volatile, with DJI recently coming after a bug bounty researcher and threatening him with legal action. The researcher was initially submitting issues as part of an official bug bounty program run by DJI, but after getting repeated pushback from them he pulled out of the program and went public. He published his results as a blog/paper titled Why I Walked Away from $30,000 of DJI Bounty Money.
Google has been tracking Android users' location even after they turned off location tracking. Android continues to be a security nightmare and I think it's because it was literally created by an advertisement company to expand its ad business. Think about that. The entire Android ecosystem is there so that Google can sell more ads. In that light it seems a whole lot more obvious why they continue to have constant security problems. They're a multi-billion dollar company. They could address security if they wanted to. I think it's simply good enough for them, which is fine. But it's not good enough for me, or arguably anyone else who needs security from their mobile platform.
Amazon has launched a new Secret Region, meaning it is designed specifically for the purpose of allowing sensitive information up to and including the Secret classification. They claim that they're the only provider that can go all the way from Unclassified to Top Secret.
Princeton researchers are reporting that significant numbers of websites are using session replaying to capture both the exact contents of the page you're on, plus the exact mouse movements and keyboard strokes. This means they can do things like capture what you type before you even submit forms. Some companies are sending these recordings to third parties and even linking them to specific users' identities.
AI is being used to find Chinese missile sites. Like information security operation centers (SOCs) this is going to be another situation where AI will make massive headway simply because of a numbers game. Basically, there aren't enough good analysts, and AI can look at a lot more data, and do it continuously. This will give AI a massive foot into the door in places like satellite imagery analysis and security event analysis. The advantage is that they can be pretty bad and still be better than nothing. If the AI can at least find some nuggets to show an L2 analyst, it's provided some value. And if/when they actually get better than an L1 analyst, well, that'll be a whole new conversation.
Twitter has been on fire regarding Net Neutrality, and this piece from Wired gives quite a good summary of what can go wrong once we lose it. One of the key points is that we are already seeing advantages given to certain services based on their affiliations with internet providers, e.g., AT&T customers accessing DirectTV Now and not being charged for the data. And that we should expect a lot more of that if the FCC gets its way. Here's are my thoughts on the debate.
Bitcoin has passed $9,000.
QR Codes have been growing in popularity in Asia, and the trend is expected to expand to Europe and the U.S. iOS 11 now includes native QR Code processing, by the way. Just open the camera and point it at one, and it'll show you what site it points to and ask you if you want to go there.
A study has found that people who voluntarily seek out solitude are more creative. This isn't surprising to me, and I find it interesting that they make the distinction between solitude (willful), vs. loneliness, which is undesirable. Basically, if you wish you weren't alone, you're lonely. But if you like being alone you enjoy solitude, and tend to be more creative. That's what I took from it, anyway. It's easy to oversimplify these studies, though, especially when you're reading an article that's already been filtered once.
American doctors make twice as much as doctors in other rich countries, and it could be in part due to something like a cartel controlling every part of the supply and demand.
HealthIQ is a startup that collects health data from healthy people so they can save an average of $1,238 on life insurance per year.
Why We'll See Security Operations Centers Sooner Rather Than Later. This is my response to so many security people saying that AI can't do InfoSec analyst work, how all the current products are garbage, and how it'll be a very long time before this changes.
I wrote an essay titled Simplifying Net Neutrality to capture my opinion on the topic. I think I actually worked my opinion out while writing it, which often happens. Writing as a process for discovery. Interestingly, I decided not to name the piece until I was done, which works well for this type of thing.
🔥 Open Culture's list of 1,300 free online courses from top universities like Stanford, Berkeley, Yale, MIT, Oxford, etc.
Someone on Reddit compiled a list of 149 great American books in chronological order. I plan on reading a number of these, and feel horrible that I haven't read many of them already.
Run the first edition of UNIX (1972) within a Docker image.
Spam is back, but it's taking new shapes now.
How to Run the Latest Version of Nmap on Ubuntu
5 Ways to Instantly Upgrade Your Online Typography
Just in time for Christmas, here's every Amazon Echo device compared in multiple ways. They all have a check in the NSA column, by the way. 😉
An interesting list of reasons Tim Ferris left the Bay Area and moved to Austin.
The bueraucracies that prevent a national road toll system.
How to Always Edit Your Crontab Using Vim
Meet one of the new breed of professional role-playing GMs in NYC.
Recorded for the first time, check out how this octopus defends itself from a shark.
The latest version of Nmap has an smb-protocols NSE script, which can tell you how bad a given system is in terms of SMB patching and functionality.
Netlify — a complete CMS with no server, and just 18 lines of code.
GitMiner — Advanced mining for content on GitHub.
I switched from the native Podcasts app on iOS to Overcast. Here's my explanation of why I made the change.
I just had LASIK done at UC Berkeley, and my vision is now spectacular. I could not be happier with the entire experience. So while I've lost one pair of glasses (for now anyway), I've just purchased a pair of PROSPEK computer glasses (at the request of my eye doctor) which are for blue light and glare blocking. Really enjoying them so far.
Run RepoSsessed (a tool I wrote for finding sensitive content in code repositories) on all your public-facing GitHub repos. Find the bad news before someone else does, and get it fixed.
“The good life is one inspired by love and guided by knowledge.” ~ Bertrand Russell