The terms intelligence, information, and data are thrown around pretty loosely in most tech circles, and this inevitably leads to people confusing and/or conflating them. What follows is a simple explanation of how the related terms are different from each other, and how they work together. Let’s get into it. Sand, pebble, boulder. Data are raw, individual, and…

Marcus Hutchins got off with time-served, and people have feelings. The range basically goes from ‘he did nothing wrong’, to, ‘he should rot in prison’. In my mind this outcome was close to perfect. Remember, he went through two years of hell since being brought up charges, he’s still a convicted felon, and he also is largely banned from the US. I think it’s good that he admitted guilt, faced consequences, and is being offered a chance to continue giving back to the community. More

Lots of people in the security community went silly over the FaceApp application last week, basically saying that you shouldn’t be using the application because they’ll steal your face and then be able to impersonate you.

Parts of Manhattan had a power outage Saturday night, which happened to be the anniversary of another power outage in 1977. The power company apologized but didn’t explain what happened. The hacker in me thinks this could easily be a probing shot by a sophisticated attacker, or a fun prank by amateurs.

The Telegraph has found strong links between Huawei employees and Chinese intelligence agencies. The Huawei counter was that this was extremely common among telecom companies, and that it wasn’t a big deal. The counter to that counter was, basically, “Well, then why did you try to hide it?” /gg

I many years ago I wrote a piece about why I didn’t think Craig was Satoshi, and a bunch of reporters hit me up immediately for interviews. I didn’t give any, and I deleted the post. I think they were so interested because they had tracked down my interactions with him (not about bitcoin) from back in the…

Marcus Hutchins wrote a great essay recently about YouTube’s new ban on “hacking” videos. He writes: One major problem here is that hacking tutorials are not inherently bad. There exist a vast YouTube community aimed at teaching the next generation of cyber security experts.YouTube’s New Policy on Hacking Tutorials is Problematic, Marcus Hutchins I think he’s absolutely correct,…

I created a new tutorial on OWASP Amass, and just joined the team as a contributor as well. Tutorial

Chinese hacking groups have been embedded deep inside multiple major US tech firms for many years, including Fujitsu, Tata, NTT, Dimension Data, and HPE. The first thing you should be thinking is where else they are today. More

We’re about to collide into the brick wall that is personal data privacy. There are several things to work out, but what I find most interesting to think about is the potential solutions and how they form based on incentive structures. I think it’s obvious that there’s going to be both a government and a corporate component, and…

There’s a Linux vulnerability called SACK Panic (among other names) that takes advantage of a kernel feature called Selective ACK. The feature lets systems tell the other side of the conversation how much data it’s received, and it turns out it can be overflowed or fuzzed.

The US is supposedly ramping up attacks against Russian power grid through the use of new cyberattack powers granted by Trump. I am happy to hear of this, but it’s an example of where we as outsiders can only know a tiny fragment of the story. But any signs that this administration sees Russia as a foe, and are treating it as such, are positive in my view.

Some absolutely fascinating research has just come out on what percentages and types of vulnerabilities are actually exploited in the wild. It found that only 5.5% of vulnerabilities discovered between 2009 and 2018 were actually exploited, with most of those being issues with a CVSS score of 9 or 10.

This is a Member-only episode. Members get the newsletter every week, and have access to the Member Portal with all existing Member content. Non-members get every other episode. Sign in or… Become a member and get immediate access

A sci-fi trilogy called The Three Body Problem included a powerful concept called Dark Forest Theory, which basically says it’s a bad idea for people who don’t know about their surroundings to make noise that might attract attention. Or, taken as a game theory strategy, it’s better to destroy other civilizations before they get the chance to destroy…

I’m a huge fan of Rob Graham and all he’s done for InfoSec. I also enjoy the fact that he seldom avoids a tussle. If he disagrees with you, you’re likely to hear about it. I probably agree with him on 85% of topics, so when he did a post recently, called Your Threat Model is Wrong, I…

Someone released a video recently that seemed to show Nancy Pelosi slurring and mangling her speech. The video spread virally in right-leaning circles, but it soon turned out to be fake. I commented on this in my most recent newsletter, saying: What this shows us is that it’s not the machine learning that makes Deepfakes dangerous; it’s the…

Unsupervised Learning is my weekly show that provides collection, summarization, and analysis in the realms of Security, Technology, and Humans. It’s Content Curation as a Service… I spend between five and twenty hours a week consuming articles, books, and podcasts—so you don’t have to—and each episode is either a curated summary of what I’ve found in the past…

This is a Member-only episode. Members get the newsletter every week, and have access to the Member Portal with all existing Member content. Non-members get every other episode. Sign in or… Become a member and get immediate access

Unsupervised Learning is my weekly show that provides collection, summarization, and analysis in the realms of Security, Technology, and Humans. It’s Content Curation as a Service… I spend between five and twenty hours a week consuming articles, books, and podcasts—so you don’t have to—and each episode is either a curated summary of what I’ve found in the past…

Many years ago, Verizon started a trend by releasing their Data Breaches Investigations Report, and today there are dozens of companies releasing similar offerings. But even with all the competition—some of which are quite good—the original DBIR report is still my favorite. Get the full report Here were my main takeaways from this year’s release. Meta This is…

So I was listening to the Risky Business podcast this week and heard Adam Boileau mention something extremely juicy in passing during the news segment. Patrick asked him about Microsoft removing password expiration in an upcoming version of Windows, and if he thought that was a good or bad thing. His response was super interesting. They also mention…

Unsupervised Learning is my weekly show that provides collection, summarization, and analysis in the realms of Security, Technology, and Humans. It’s Content Curation as a Service… I spend between five and twenty hours a week consuming articles, books, and podcasts—so you don’t have to—and each episode is either a curated summary of what I’ve found in the past…

This is a Member-only episode. Members get the newsletter every week, and have access to the Member Portal with all existing Member content. Non-members get every other episode. Sign in or… Become a member and get immediate access

Unsupervised Learning is my weekly show that provides collection, summarization, and analysis in the realms of Security, Technology, and Humans. It’s Content Curation as a Service… I spend between five and twenty hours a week consuming articles, books, and podcasts—so you don’t have to—and each episode is either a curated summary of what I’ve found in the past…

This is a Member-only episode. Members get the newsletter every week, and have access to the Member Portal with all existing Member content. Non-members get every other episode. Sign in or… Become a member and get immediate access

Unsupervised Learning is my weekly show that provides collection, summarization, and analysis in the realms of Security, Technology, and Humans. It’s Content Curation as a Service… I spend between five and twenty hours a week consuming articles, books, and podcasts—so you don’t have to—and each episode is either a curated summary of what I’ve found in the past…

This is a Member-only episode. Members get the newsletter every week, and have access to the Member Portal with all existing Member content. Non-members get every other episode. Sign in or… Become a member and get immediate access

I just finished listening to an extraordinary episode of Making Sense with Sam Harris, where Roger McNamee was the featured guest. He is a long-time tech analyst and investor, and actually used to be an advisor for Facebook before becoming an outspoken critic. Roger’s points were legion, and covered the now familiar ground regarding the collection of our…

I heard Renée DiResta on the Sam Harris podcast a while back, and was excited to learn that she just appeared on Joe Rogan as well. Her work is focused on misinformation campaigns, and she works at a place that tries to combat the problem. Anyway, I was listening to her and Joe talking, and I somehow started…

Unsupervised Learning is my weekly show that provides collection, summarization, and analysis in the realms of Security, Technology, and Humans. It’s Content Curation as a Service… I spend between five and twenty hours a week consuming articles, books, and podcasts—so you don’t have to—and each episode is either a curated summary of what I’ve found in the past…

This is a Member-only episode. Members get the newsletter every week, and have access to the Member Portal with all existing Member content. Non-members get every other episode. Sign in or… Become a member and get immediate access

RSA was good this year, but I didn’t really notice any major new trends. Nothing on the scale of—say—AI, or blockchain. But there were some disruptions that looked quite interesting. Primary themes The overall themes I saw this year were largely the same as last year, with a few notable changes. AI talk has become a lot more…

Unsupervised Learning is my weekly show that provides collection, summarization, and analysis in the realms of Security, Technology, and Humans. It’s Content Curation as a Service… I spend between five and twenty hours a week consuming articles, books, and podcasts—so you don’t have to—and each episode is either a curated summary of what I’ve found in the past…

Most people have heard that 5G is forthcoming, but few are versed on the key advantages over 4G LTE. Here’s a primer. Speed: Becasue it’ll work at much higher frequencies (many proposals use ranges over 6Ghz) you can move more data per unit of time. More Call Capacity: there will be less congestion and service degradation in busy…

This is a Member-only episode. Members get the newsletter every week, and have access to the Member Portal with all existing Member content. Non-members get every other episode. Sign in or… Become a member and get immediate access

Unsupervised Learning is my weekly show that provides collection, summarization, and analysis in the realms of Security, Technology, and Humans. It’s Content Curation as a Service… I spend between five and twenty hours a week consuming articles, books, and podcasts—so you don’t have to—and each episode is either a curated summary of what I’ve found in the past…

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week. Become a member to get access immediately

Unsupervised Learning is my weekly show where I spend 5-20 hours finding the most interesting stories in security, technology, and humans, which I then curate into a 30-minute podcast & companion newsletter. The goal is to catch you up on current events, show you the best content from around the web, and hopefully give you something to think…

I have two favorite conferences of the year: AppSec Cali ENIGMA ENIGMA 2019 ended today, and I wanted to do a quick capture on what I saw and found interesting there. The conference For me conferences are all about the combination of ideas, people, and conversation, and that’s what both of these do really well. First a bit…

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week. Become a member to get access immediately

Unsupervised Learning is my weekly show where I spend 5-20 hours finding the most interesting stories in security, technology, and humans, which I then curate into a 30-minute podcast & companion newsletter. The goal is to catch you up on current events, show you the best content from around the web, and hopefully give you something to think…

There’s currently a major backlash in the InfoSec community against so-called “smart” locks. And it’s not just by people who naturally overreact to change, or from people outside of InfoSec: there are plenty of smart people in our field—whom I respect greatly—that are making loud noises against this technology. So I want to make it absolutely clear that…

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week. Become a member to get access immediately

The NSA is releasing a free reverse engineering tool this year at the RSA security conference in San Francisco. A lot of people are asking about the motive of the NSA releasing a free reverse engineering tool at RSA this year.Theories include: it’s a backdoor, it’s a tracking mechanism, etc.My opinion? Recruiting.It’s a PR move to attract talent…

Unsupervised Learning is my weekly show where I spend 5-20 hours finding the most interesting stories in security, technology, and humans, which I then curate into a 30-minute podcast & companion newsletter. The goal is to catch you up on current events, show you the best content from around the web, and hopefully give you something to think…

Short answer: it’s a trick question. Privacy is part of security. But just because one is part of the other doesn’t mean they are the same. There’s a nuance there that’s important. The word “security” is shorthand for “information security” or “cybersecurity” in this parlance. Information Security is about controlling access to information. Privacy is about making sure…

I’ve mentioned this in numerous places for the last few years, so I decided it was time to finally put it into a formal piece. It seems obvious at this point that China is building a massive database of information on American individuals and companies, which they can then use for various purposes—including espionage, intellectual property theft, extortion,…

I saw a tweet recently by Robert M. Lee—a highly respected ICS Security professional in the industry. When folks put “ICS” in the category of “IOT” it conflates the systems, purpose, value, and risks of separate communities. There’s important differences between a robot arm in a car manufacturing plant and your internet connected doll even if both have…

January always feels fresh to me—a chance to be better. But at the same time, it’s really just a day after the end of December. This is why I don’t do New Year Resolutions. Basically, if you wanted to do that thing bad enough, you would have done it already. But that’s for things that you can do…

This is a member-only even episode. Members get the newsletter every week, as well as access to all previous episodes, while free subscribers only get odd episodes every other week. Become a member to get access immediately