This week’s topics: Amazon’s S3 outage, Uber greyballing, fooling AI, DNS RATs, automating human jobs, suicide and ML, post-work IQ and creativity, greatness vs. imperfection, media choice, tools, projects, and more…
This is Episode No. 68 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.
The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.
Amazon S3 had a major outage this week, which took down much of the internet. S3 is the backend for so many websites and applications that many are call it "The internet's hard drive". What I found most fascinating about the outage was Amazon's post-mortem, which identified the cause of the issue as a typo. But rather than saying the sysadmins would be retrained, i.e., blaming the human, they said they'll be implementing tech that will make it impossible for anyone to do this in the future—even if the typo were repeated. I think that's a great answer. Now we just need that for development frameworks. Link
Uber is in (more) trouble because of its use of a technique called Greyballing, which is a play on Blackballing. It's alleged that in cities where Uber was not allowed to operate, Uber would identify city officials and potential investigators and push them a fake version of the app. When they would call a car, it would look like cars would accept, but they would cancel immediately afterwards so they were never able to gather evidence against the company. Link
It's possible to fool a lot of AI systems using what are called Adversarial Examples. Basically they are purposely crafted inputs that cause the AI system to make a mistake, usually involving labeling. You might be able to convince a camera that someone has a gun, for example, or an autonomous car that there's a yield sign instead of a stop sign. The way I characterize this is that if you understand the limitation of the training data, and you have a way to attack it. Link
Security professionals everywhere are rejoicing in Marissa Mayer losing her multimillion dollar cash bonus because of the security issues at Yahoo!. They've felt for years that there could be egregious disregard for infosec but there were never any solid repercussions. Link
HackerOne is offering a free service for Open Source projects. The offering basically allows vetted projects to use the Hacker One platform to manage interaction with the community, but without customer support. Link
Cisco's Talos Intelligence have found a RAT called DNSMessenger that uses DNS TXT records to run PowerShell commands and for C2, preventing the system from having to write any files to disk locally. Link
A researcher found a vulnerability in Google Apps that allowed him to query internal Google domain names, including those for its Active Directory infrastructure. It was essentially an SSRF in their toolbox application, where if you rotated your queries you could pull all sorts of nasty stuff. The researcher received a bounty from Google and the issue has been fixed. Link
CloudPets, a smart stuffed animal that records voice conversations of children and parents, had its MongoDB database compromised, resulting in the exposure of 2 million voice conversations and data from around 800,000 registered users. Then it got hacked and ransomed. Link
Amazon is developing a Voice ID technology. Link
Google has increased all its bounty payouts by 50%, and Microsoft doubled theirs. Link
Google's ReCaptcha has been successfully attacked again. Link
New software called Contract Intelligence (COIN) performs in seconds a task that used to take staff 360,000 hours. Link
YouTube has launched YouTube TV, which allows you to stream ABC, CBS, FOX, NBC, ESPN, regional sports, and dozens of other cable networks. Link
Chevrolet is about to offer an unlimited 4G LTE data plan on all cars sold in the U.S. for just $20/month. Link
Ford is exploring a mobile van full of drones for last mile delivery. Link
A researcher at Florida State University has used machine learning to accurately predict the chance of someone committing suicide to around 80% accuracy. This is stunning given the previous decades of work yielding no better than a 50/50 coin flip. The system looked at 2 million health records and identified 3,200 people it knew had committed suicide, and machine learning did its regular magic of finding what those people had in common that humans couldn't see. Around 120 Americans commit suicide daily. Link
Sweden has reinstated military conscription because of Russian moves in the Baltic. Link
Japanese universities are struggling to remain elite and relevant. Link
Babies evidently give their mothers stem cells that they can use to heal themselves if needed. Link
There's a new tech where you lock up your smartphone at parties. Link
SpaceX is sending two people on a trip around the moon next year. Link
IQ and Creativity Bias in a Post-work World Link
The Mea Culpa Game: Analysis of IT Post-mortems Link
Greatness vs. Imperfection: How Should We Rate Our Leaders? Link
Governments, Markets, and Media Link
Companies Exist to Serve Customers, Not Employ People Link
The Car Hacker's Handbook is now available for free. Link
GoPhish — An open source phishing framework that has just been updated. Link
A presentation on a car hacking tool called CANToolz. Link
A collection of red team related resources. Link
Hackr.io — A search engine for online programming courses and tutorials. Link
The rise of the Useless Class. Link
AWS Lambda best practices. Link
PaddlePaddle — An open and easy-to-use deep learning platform for enterprise and research. Link
The human body as a transit map. Link
My company, IOActive, released some new research on vulnerabilities in robots. Link
Advice Bill Gates would give his 19-year-old self. Link
Reflect — Design, publish, and share your data. A data visualization platform. Link
A pretty cool Critical Controls PDF. Link
An article on creating macros for Burpsuite. Link
This newsletter (and podcast) won #4 on a list of 35 security podcasts. It was particularly rewarding since the three that beat us are all super professional, highly produced, have tons of sponsors, etc. Over here it's just you and me, so I'm happy with our #4 spot. Thanks for reading! Link
I'm in the middle of making a new primer—this time on OSINT! It's going to be a fairly major one, and I'm going through hundreds of resources by hand to pick the best ones. I will hopefully release it within the next week or two.
I'm still reading Hamilton, but I took a break and am reading Sapiens. It's unbelievably good. Next up after that might be Homo Deux, another book by the same author.
I'm going to Stanford this week to speak about Cybersecurity and AI. Super excited about that.
My buddy Ty has me thinking about getting one of these. Link
If you're a parent, start thinking about what skills in the future are most resistant to AI and machine learning, because that's where you probably want to point them. It's about life skills, too, not just vocation. I'm going to be doing an essay on this soon.
"The problem with humanity is the following: we have Paleolithic emotions, medieval institutions, and godlike technology." ~ E.O. Wilson
Thank you for listening, and if you enjoy the show please share it with a friend or on social media.