Unsupervised Learning is my weekly show that provides collection, summarization, and analysis in the realms of Security, Technology, and Humans. It’s Content Curation as a Service… I spend between five and twenty hours a week consuming articles, books, and podcasts—so you don’t have to—and each episode is either a curated summary of what I’ve found in the past…

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week. Become a member to get access immediately

Unsupervised Learning is my weekly show where I spend 5-20 hours finding the most interesting stories in security, technology, and humans, which I then curate into a 30-minute podcast & companion newsletter. The goal is to catch you up on current events, show you the best content from around the web, and hopefully give you something to think…

I have two favorite conferences of the year: AppSec Cali ENIGMA ENIGMA 2019 ended today, and I wanted to do a quick capture on what I saw and found interesting there. The conference For me conferences are all about the combination of ideas, people, and conversation, and that’s what both of these do really well. First a bit…

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week. Become a member to get access immediately

Unsupervised Learning is my weekly show where I spend 5-20 hours finding the most interesting stories in security, technology, and humans, which I then curate into a 30-minute podcast & companion newsletter. The goal is to catch you up on current events, show you the best content from around the web, and hopefully give you something to think…

There’s currently a major backlash in the InfoSec community against so-called “smart” locks. And it’s not just by people who naturally overreact to change, or from people outside of InfoSec: there are plenty of smart people in our field—whom I respect greatly—that are making loud noises against this technology. So I want to make it absolutely clear that…

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week. Become a member to get access immediately

The NSA is releasing a free reverse engineering tool this year at the RSA security conference in San Francisco. A lot of people are asking about the motive of the NSA releasing a free reverse engineering tool at RSA this year.Theories include: it’s a backdoor, it’s a tracking mechanism, etc.My opinion? Recruiting.It’s a PR move to attract talent…

Unsupervised Learning is my weekly show where I spend 5-20 hours finding the most interesting stories in security, technology, and humans, which I then curate into a 30-minute podcast & companion newsletter. The goal is to catch you up on current events, show you the best content from around the web, and hopefully give you something to think…

Short answer: it’s a trick question. Privacy is part of security. But just because one is part of the other doesn’t mean they are the same. There’s a nuance there that’s important. The word “security” is shorthand for “information security” or “cybersecurity” in this parlance. Information Security is about controlling access to information. Privacy is about making sure…

I’ve mentioned this in numerous places for the last few years, so I decided it was time to finally put it into a formal piece. It seems obvious at this point that China is building a massive database of information on American individuals and companies, which they can then use for various purposes—including espionage, intellectual property theft, extortion,…

I saw a tweet recently by Robert M. Lee—a highly respected ICS Security professional in the industry. When folks put “ICS” in the category of “IOT” it conflates the systems, purpose, value, and risks of separate communities. There’s important differences between a robot arm in a car manufacturing plant and your internet connected doll even if both have…

January always feels fresh to me—a chance to be better. But at the same time, it’s really just a day after the end of December. This is why I don’t do New Year Resolutions. Basically, if you wanted to do that thing bad enough, you would have done it already. But that’s for things that you can do…

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week. Become a member to get access immediately

I was doing the Twitter thing recently, and someone was talking about red teaming and I had an epiphany: Vaccination and Red Teaming are extremely similar. Or at least they should be. Here are some similarities: The main purpose is to strengthen the defenses It’s done by exposing defenses to the bad stuff Its effect weakens over time,…

Unsupervised Learning is my weekly show where I spend 5-20 hours finding the most interesting stories in security, technology, and humans, which I then curate into a 30-minute podcast & companion newsletter. The goal is to catch you up on current events, show you the best content from around the web, and hopefully give you something to think…

Don’t call them cameras or microphones anymore. Those are human-centric names, and humans are about to be the Neandertals of detection. I first heard this idea regarding cameras from Benedict Evans. What we’re moving towards is a world where sensors are everywhere—and of multiple types: Visible light Non-visible light Radio waves Sound Vibration Chemicals Radioactivity Air pressure Etc,…

One of the most frustrating things to me as a security person is having sales and marketing types confuse the different types of security assessment. Similarities And among those types of assessment, the pentest and red team are two of the most commonly mangled. First, let’s start with similarities. They’re both types of security assessment, meaning their goal…

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week. Become a member to get access immediately

Brian Krebs ran a story recently about how FICO has a new service for rating the Cybersecurity risk level of various companies. Problem is, in one of their marketing communications about the new offering, they leaked the actual report data for a little company called ExxonMobil. I find this space both strange and fascinating. On one hand I…

Unsupervised Learning is my weekly show where I spend 5-20 hours finding the most interesting stories in security, technology, and humans, which I then curate into a 30 minute podcast & companion newsletter. The goal is to catch you up on current events, show you the best content from around the web, and hopefully give you something to…

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week. Become a member to get access immediately

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week. Become a member to get access immediately

🛡️ Security News Ukraine has found another nasty piece of malware targetting their government systems. It’s a Windows backdoor called Pterodo. Link China has turned on their social credit system that was basically a Black Mirror episode, and it’s resulted in the blacklisting of millions of Chinese from booking flights. Their scores were too low. Unreal. Link The US…

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week. Become a member to get access immediately

Security News 👋 We’re preparing to release the 2018 version of the OWASP IoT Top 10, and we would love your feedback! Updated to include a feedback form. Form Link 🛑 Check your Facebook account to see if it was hacked. Link The company that owns Fortnite has purchased a company focused on stopping cheaters. Link A government report…

There are tons of VPN options out there, and the field is confusing enough that I did a post on the topic a while back to help people pick one of the better ones and avoid the scams. But if you look at the considerations for making a good choice, they mostly reduce to the following: Privacy Log…

I’ve been obsessed with entropy since I learned about it in high school. It’s highly depressing, but it’s awesome at the same time given how inevitable it is, and how it’s happening all the time and all around us. I was just reading The Most Human Human, by Brian Christian, and it reminded me that I’ve wanted to…

If you haven’t heard yet—which is unlikely—there’s a problem with hiring in cybersecurity. The issue is we’re not sure of the nature of that problem. A number of studies are talking about there being 3.5 million unfilled cybersecurity positions by 2021. But many are in that same market looking for work and are unable to find any. So…

[ UPDATE: The project is now live here. ] Please give your feedback on the list here. The OWASP Internet of Things Top 10 has not been updated since 2014, for a number of reasons. First of which was the fact that we released the new umbrella project that removed focus from the Top 10 format. This, in…

Many of the calls are actually in Mandarin, which I don’t speak. Over the last few months I’ve seen my spam phone calls go from around one a week to like ten a day, and it’s been infuriating. After a good bit of Googling, I ended up coming up with two solutions that reduced the problem by around…

I just stumbled upon an article by Mark R. Heckman, Ph.D, CISSP, CISA that—like so many others in the industry—wildly contorts himself to make a distinction between security and privacy. He writes: I argued here why I don’t think this difference matters as much as people think. Without a clear understanding of the difference, data security and privacy…

Subscribe here to get this in your inbox every week. Security News 😮 The governments of the “Five Eyes” (US, Australia, UK, Canada, and New Zealand) have asked the world’s largest tech companies to build encryption backdoors into their systems. But more than just asking, they also said, ”Should governments continue to encounter impediments to lawful access to information…

For those who have been in information security for a while, nmap is like a warm and familiar blanket. Except this blanket kicks ass. It is—without question—the most versatile portscanner ever. A lot of people know that. Read my masscan tutorial. What fewer people know, however, is that with NSE scripting functionality nmap can do things you wouldn’t expect from a portscanner.…

There’s a famous, often-misattributed quote in the tech scene that says something like: If you’re not paying for a given service, then you’re not the customer—you’re the product.Many people, going back to the 70’s This is fairly well understood for services like Google and Facebook, where the service is basically free but the companies make most of their…

If you’ve spent any time coding in InfoSec, you’ve probably used a ton of curl to pull websites, check them for various issues or attributes, etc. This will follow redirects and provide a non-curl User Agent. curl -LA 'Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5' reddit.com…

Subscribe here to get this in your inbox every week. Security News TLS 1.3 is finalized and should start rolling out everywhere soon. Adoption is expected to be quick. Link Burp continues to impress with its massive campaign of improvements and blog posts describing them. They recently just talked about how they’re adding point-and-shoot scan functionality, where you…

Subscribe here to get this in your inbox every week. Security News The DHS is launching a new group to protect critical infrastructure. Link Cisco is buying Duo Security for $2.35 billion. Link Reddit had a security incident related to SMS 2FA, and their write-up on it is quite solid. I can actually gain trust in a company…

This week’s topics: Air marshal surveillance, Russians hacking control systems, Google 2FA, 23andMe sharing your data, Pentagon’s DoNotBuy list, technology news, human news, discovery, notes, recommendations, and the aphorism of the week… Every week I spend 5-20 hours finding the most interesting stories in security, technology, and humans, which I then curate into a 30 minute podcast &…

A lot of people have questions about the concept of DNS Rebinding attacks, and many of the overviews dive too deep into the details. Here’s a simple explanation that should help those having trouble getting it. DNS Rebinding lets you send commands to systems behind a victim’s firewall, as long as they’ve somehow come to a domain you…

We’re starting to see significant debate around the terms SOC vs. CSIRT, and which one companies should have. As with most such debates in tech—which is moving almost as fast as we can lock down definitions—the issue is largely one of semantics. To start, Wikipedia says a SOC is a centralized unit that deals with security issues on…

For anyone who’s been worried that their online fingerprint was going to be used against them, this paper will provide them their vindication. Here’s how they describe the analysis: As a simple example, every website can effortlessly track whether a customer is using an iOS or an Android device; or track whether a customer comes to the website…

The Information Security community has been debating software reliability for decades. Some say software is too advanced to place guarantees on it. And others say that unless we hold creators/builders responsible, nothing will improve. Nassim Taleb’s Skin in the Game is what got me thinking about this topic. As it turns out, the most ancient law that we…

I’ve been writing more defined and concise posts lately—usually clean ideas that have a beginning and an end. I like it, and I plan to keep doing it. But not today. Today I just need to write. Today this will be an old-school blog, or a journal. There are a lot of things happening in America right now.…

There’s a common belief in InfoSec circles that Security and Privacy are related, but that they’re different enough to constantly mention the distinction. I don’t think the difference should matter much to defenders much at all, and in fact if you look close enough the distinction nearly vanishes. They are simply different aspects of the unified goal of…

Any time you see us using cameras to feed a Machine Learning algorithm, I think we’ll start calling that Machine Learning Vision, and, eventually, Computer Vision. The key point is that computers can parse video (and other sensor data) and figure out things that even humans cannot. The combination of audio, video, heat, other types of EM waves,…

I have a 1,001 friends in InfoSec who I hear things like this from on a regular basis: I’d never put one of those things in MY house! I’m in security! They’re going to find flaws in those things, you wait and see! Then when something happens, like a private conversation being sent to a random person, they…

In this Security Report Analysis (SRA) series I look at various security reports and pull out the main points. This doesn’t replace a complete and detailed read of these reports, but it exposes you to some of the key takeaways that you might not otherwise have seen. REPORT: The 2018 DBIR Report Key points These points are a…

The more a company can tell me about their assets the better their security is, and the more comprehensive and realtime the inventory is, the more mature they are. This has been true for me over 15 years of consulting across hundreds of organizations. Click here to listen to the audio version of this essay. But just try—either…