Unsupervised Learning No. 233
MEMBER EDITION | EP. 233 | June 15, 2020
THIS WEEK’S TOPICS: SMBleed, Republicans. vs. China, Hawkey Surveillance, COVID in August 2019, IBM Facial PR, Palantir NHS, Blockchain Misinformation, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…
SECURITY NEWS
There's an extremely nasty SMB vulnerability that was just patched in MIcrosoft's patch Tuesday, which basically works like psexec for attackers. Please get your 445 off the internet if you can. And high-fives to all those pentesters in the mines. It's funny, we've been saying for a decade that pentesting would be near impossible before too long. But the vulns keep coming. More
A group of Republicans (the Republican Study Committee) is taking action to highlight and restrict China's various influence operations within the US. More
A private company with Hawkeye cameras strapped to Cesnas was hired by the Baltimore Police Department to fly over and monitor the city. The ACLU is suing. This also ties into another story where a guy used a simple SDR to log aircraft beacons and callsigns, and found an FBI surveillance plane near LA. Between the cameras everywhere, the planes flying overhead, we really are becoming a surveillance state. I truly believe it's possible to do this well, and for the right reasons—i.e., transparently, and with the full endorsement of the people—but I also believe that's the opposite of how we're doing it. More More
Analysis of hospital traffic using satellite imagery and Baidu search engine activity indicate that Wuhan was already facing a significant outbreak in late summer, early fall of 2019. More
IBM said they're getting out of the facial recognition business for ethical reasons, but I and a lot of others see this like Blackberry getting out of the AI business. There were many such announcements and they all smelled strongly of PR in my opinion. Amazon paused selling Rekognition to police departments for a year. And there's a bill in Congress to limit the use of facial recognition. More
Britain gave Palantir sensitive access to NHS data as part of their £1 deal. More
It's possible to identify individuals by looking at their heartbeat data, and that's flared up the common security debate around biometrics. I talked about how the theft threat was overblown back in 2017. A number of steps in many biometric authentication workflows make the systems resistant to these steal-once / use forever attacks. First, it's hashes that are usually stored, not high-res images of the source data. Second, devices that take the readings can be improved as attacks improve. Third, in the future, it'll likely be a massive combination of readings that will be used simultaneously to identify someone, not single factors. And finally, auth systems can evolve based on what we know has been stolen and copied. If everyone's biometrics were perfectly stolen and replicated, we would simply stop using them. There are definitely valid concerns with biometrics (as with any auth system), and we should be thoughtful as this inevitable switch is made, but it's not the Pandora's Box that people think it is. More
The New York Times had their R&D team build a prototype blockchain system for combatting misinformation. The system allows people to see the history of something being shared. More
Twitter is testing out a feature that will prompt you if you try to retweet something without reading it. More
China is spending $1.4 trillion dollars over the next 5 years to develop 5G, AI, and datacenters. This includes plans to build 600,000 new 5G towers by the end of 2020. More
A number of city blocks in Seattle are now "Autonomous" meaning that Seattle itself is not claiming authority there. Protesters there have designated the area as owned by the people. More
Twitter has removed over 170,000 accounts associated with Chinese state-linked media campaigns around COVID-19, the Hong Kong protests, and George Floyd. More
Spies can now eavesdrop by watching the vibrations of a lightbulb in a room. Before you ask—yes, it's research from Israel. More
Putin just said in an interview that the US is in "deep internal crisis" due to the US's inability to accept Trump as a legitimate president. Nicely played. I honestly can't wait to read in 10 to 20 years what was really happening in the current moment with regard to Russia and the US. It's going to be the best spy story ever written. More
Vulnerabilities:
There's an extremely critical SMB vulnerability that basically works like psexec for the attacker. More
Microsoft's Patch Tuesday has 129 CVEs. More
IBM Websphere has two critical issues. More
There's a new vulnerability in UPnP. Remember to disable it on your IoT stuff if at all possible. More
23 issues in SAP, with two being critical. More
Adobe has updates to Flash, Experience Manager, and Framemaker. More
Breaches:
Nintendo says another 140,000 accounts may have been accessed in its recently announced breach. More
Babylon Health leaked their video health consultations. More
Companies:
Palantir is set to IPO soon. More
TECHNOLOGY NEWS
Facebook has an AI-based system called TransCoder that can convert code back and forth between C++, Python, and Java. More
Quite a bit of the US's AI supremacy relies on Chinese talent, and many are worried that trade tensions will remove that advantage. More
United has added touchless check-in kiosks around the country. More
Grammarly has added custom business style guides. More
Companies:
Grow Credit builds peoples' credit scores by paying for online subscriptions. More
Snowflake as filed for their IPO. More
HUMAN NEWS
California has banned private prisons and immigration detention centers. More
Dogs have been trained to detect people who have COVID-19 at a 95% success rate. More
Around one-third of heterosexual American males aged 18-24 reported having no sex in the last year. Researchers said women are preferring men of higher socioeconomic status, and that more women now have college degrees, which are two factors affecting the chances of having heterosexual encounters for men. More
24-hour Fitness is permanently closing around a quarter of its gyms, including 10 in the SF Bay Area. More
Russia had a major oil spill in the Arctic. More
Brazil deforested 10,000 square kilometers of rainforest in 2019, which is a 34% increase over 2018. I don't have many authoritarian tendencies, but getting the international community to intervene and protect the Amazon is one of them. More
IDEAS, TRENDS, & ANALYSIS
It might be a really good time for companies to move towards Zero Trust architectures. More
Gene Spafford was interviewed about digital voting security and came to the same conclusion I did after attending ENIGMA one year. In short, all the experts agree it's a bad idea. More
Layoffs are coming, and employers need to do them right. More
UPDATES
I'm in the middle of working on two big presentations right now, so I've been writing a bit less. But that'll be done in two weeks and I'll just have one presentation in August to prepare for.
I've finished the book on Complex PTSD, Nonviolent Communication, and now I'm reading Getting to Yes.
DISCOVERY
A project that lets you explore ISS images of Earth for a given location. More
Create diagrams with code, using Graphviz. More
Cloud Pentesting Cheatsheets More
The word "huh?" seems to exist in every language. More
Using SharpChisel to ExFil data from a network. More
How to talk about your experience and perspective using stories during interviews. More
All slides from NahamSec this weekend, including my buddy Jason's session on his Bug Hunter's Methodology v4! More
How to use a serious camera as your webcam. More
A Machine Learning Field Guide More
A broad interview with Marc Andreessen about time management, reading, and other topics. More
A deep-dive into fountain pen ink properties. More
Canary Tools — Plant triggers all over your network and applications, and get notifications if anyone trips them. More
Gordon — A tool to check multiple reputation lists based on IP or domain. More
Baby Shark — A C2 server that uses Google translate as a proxy. More
URLCrazy — A tool to testing typo-squatting attacks against your domains. More
RECOMMENDATIONS
Nonviolent Communication is an extraordinary book for conflict resolution. I do think it could have had a better name though. I spent all these years thinking it was about hostage negotiation or something, but no—it's really quite universal. More
APHORISMS
"Life consists of what one thinks of all day."
~ Ralph Waldo Emerson